TechSpot

Slow PC, popups, antivirus and system restore are ineffective

By Jeremyn
Jan 31, 2011
  1. Hello all,
    In the past week or so, my computer has been showing many symptoms of a virus. I get random popups, it's running very slowly, I get occasional alerts of a Generic Host shutting down (I'll write it down next time it happens) etc. I keep updating Avast and Malwarebytes and running scans, but neither are having any effect. I've tried a system restore to previous dates, but it didn't help at all either.
    I would like to try a system recovery or reset my laptop back to factory settings, but I can't even find the files to burn to CDs (I backed up files I want to keep).
    Can anyone let me know what I should do? How I could remove the virus, or find the system recovery files? It's a Gateway laptop, model mx6440, if that helps at all.
    (I've also checked on their website, they don't have the manual for this model, and their instructions for burning recovery disks don't work).
    Thanks in advance
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I will be glad to help with the malware, but I need some information first:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    We can see if the problem is malware related and try to remove it. But having a slow PC often gets down to having too many processes starting on boot, then running in the background. I will see that in the logs and aside from malware, I can make suggestions of what processes can be removed from Start.

    Do not do a System Restore while I am helping you. If I do find malware and it's removed, you can reinfect the system is you use a restore point that's infected. I will have you remove all the old restore points and set a new, clean one at the end of cleaning.
     
  3. Jeremyn

    Jeremyn TS Rookie Topic Starter

    logs

    Here are the logs. I've never used the latter two programs before, so I'm hoping this is what I'm supposed to post.
    Thanks in advance for all the help!


    Malwarebytes log: (this is the quick scan one, but I did a full one afterwards if it makes a difference)

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5650

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/31/2011 6:29:41 PM
    mbam-log-2011-01-31 (18-29-41).txt

    Scan type: Quick scan
    Objects scanned: 136474
    Time elapsed: 13 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    -------------------------------------------------------------------

    Gmer log:
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-31 18:03:45
    Windows 5.1.2600 Service Pack 3
    Running: xgkdjqj7[1].exe; Driver: C:\DOCUME~1\Marie\LOCALS~1\Temp\kwlyypob.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 19692

    ---- EOF - GMER 1.0.15 ----
    _________________________________________________

    DDS log:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Marie at 17:18:31.78 on Mon 01/31/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.396 [GMT -5:00]

    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Program Files\CCleaner\CCleaner.exe
    C:\Documents and Settings\Marie\Local Settings\Temporary Internet Files\Content.IE5\3CJC3PA9\xgkdjqj7[1].exe
    C:\Documents and Settings\Marie\Local Settings\Temporary Internet Files\Content.IE5\3CJC3PA9\dds[1].scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.comcast.net/
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269104160531
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-28 294608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-28 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-28 40384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664]

    =============== Created Last 30 ================

    2011-01-31 22:18:42 -------- d-----w- c:\windows\system32\wbem\Logs
    2011-01-29 05:20:56 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    2011-01-29 05:20:56 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2011-01-29 05:20:56 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
    2011-01-29 05:20:56 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2011-01-29 05:20:56 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
    2011-01-29 05:20:56 5632 ----a-w- c:\windows\system32\kbd103.dll
    2011-01-29 05:20:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
    2011-01-29 05:20:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2011-01-29 05:19:57 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
    2011-01-29 05:19:57 6144 ----a-w- c:\windows\system32\kbd101b.dll
    2011-01-29 05:19:29 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2011-01-29 05:19:29 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-01-28 19:08:54 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-28 19:08:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2011-01-27 02:02:57 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-01-27 02:02:57 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-26 07:03:02 -------- d-----w- C:\$AVG
    2011-01-26 04:49:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Common Files
    2011-01-26 04:45:57 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-01-26 04:45:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2011-01-26 04:45:03 -------- d-----w- c:\program files\AVG
    2011-01-25 21:38:56 0 ----a-w- c:\windows\Knomegefimifet.bin
    2011-01-25 21:38:53 -------- d-----w- c:\docume~1\marie\locals~1\applic~1\{C98F0231-88D1-4720-BA99-C4B0663ECFF7}
    2011-01-09 16:21:41 -------- d-----w- c:\program files\NetZero

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: HTS541010G9AT00 rev.MBZOA60A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8610B555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x861117b0]; MOV EAX, [0x8611182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86194AB8]
    3 CLASSPNP[0xF75D2FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000071[0x8616A9E8]
    5 ACPI[0xF7449620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x861AC4D0]
    \Driver\atapi[0x86158BC8] -> IRP_MJ_CREATE -> 0x8610B555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS541010G9AT00_________________________MBZOA60A#5&1b7ab5c8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8610B39B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 17:21:51.95 ===============

    DDS Attach:
    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/19/2010 6:39:05 PM
    System Uptime: 1/31/2011 2:03:22 PM (3 hours ago)

    Motherboard: Gateway | |
    Processor: AMD Turion(tm) 64 Mobile Technology ML-32 | Socket 754 | 1790/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 93 GiB total, 61.705 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_0300107B&REV_02\3&13C0B0C5&0&A6
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_0300107B&REV_02\3&13C0B0C5&0&A6
    Service:

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.1
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Athlon 64 Processor Driver
    ATI Display Driver
    avast! Free Antivirus
    Bonjour
    CCleaner
    Conexant AC-Link Audio
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    iTunes
    Java(TM) 6 Update 18
    Malwarebytes' Anti-Malware
    Microsoft Application Error Reporting
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    PowerDVD
    PowerDVD Ultra
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Skype Toolbars
    Skype™ 4.2
    Synaptics Pointing Device Driver
    System Tool2011
    Trillian
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB978506)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    WinRAR archiver
    WordPerfect Office 11

    ==== Event Viewer Messages From Past Week ========

    1/31/2011 2:09:06 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0014A58C5B31 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    1/30/2011 2:51:57 AM, error: Service Control Manager [7022] - The Print Spooler service hung on starting.
    1/30/2011 2:51:57 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Antivirus service to connect.
    1/30/2011 2:51:57 AM, error: Service Control Manager [7000] - The avast! Antivirus service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/30/2011 2:34:53 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
    1/30/2011 2:34:53 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SENS service.
    1/30/2011 2:34:53 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
    1/30/2011 12:35:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.98 for the Network Card with network address 0014A58C5B31 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    1/29/2011 12:42:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AmdK8 aswSP aswTdi Fips
    1/28/2011 3:33:10 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
    1/28/2011 3:06:31 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    1/27/2011 9:28:19 PM, error: Dhcp [1002] - The IP address lease 192.168.1.120 for the Network Card with network address 0014A58C5B31 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    1/27/2011 9:26:29 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
    1/27/2011 7:01:01 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    1/27/2011 1:34:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips MpFilter
    1/27/2011 1:34:22 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    1/27/2011 1:21:49 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/26/2011 6:49:31 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
    1/26/2011 6:49:31 AM, error: SideBySide [59] - Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
    1/26/2011 6:49:31 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
    1/26/2011 2:56:45 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014A58C5B31. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    1/26/2011 2:27:22 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/26/2011 12:53:27 AM, error: Dhcp [1002] - The IP address lease 192.168.1.112 for the Network Card with network address 0014A58C5B31 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    1/26/2011 12:48:07 AM, error: SideBySide [36] - The assembly x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7 has missing or invalid files; recovery of this assembly failed.
    1/26/2011 1:34:17 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Avgldx86 Avgmfx86 Fips
    1/26/2011 1:11:03 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    1/26/2011 1:08:35 AM, error: Microsoft Antimalware [2003] -
    1/25/2011 8:58:26 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014A58C5B31. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You did fine with the logs. The 'slow' is partially due to the fact that you have a lot of unnecessary processes loading, then running in the background. But we'll address that later.

    You have rootkit which is probably why the system hasn't cleaned up:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    Please paste the log into your next reply.
    =======================================
    I also note both of these running:
    AV: avast! Antivirus *Enabled/Updated*
    AV: Microsoft Security Essentials *Enabled/Updated

    You should remove one of these AV programs. The system is more vulnerable with multiple AV programs and it's also a source of slowdown=
    =======================================
    When you download the scanning programs, you save it to the desktop. From, there, you double click on the setup to run. It looks like you are putting the downloads in temp files. This is not good because some of the scan make backups and they will be lost in temp files>> for example:
    C:\Documents and Settings\Marie\Local Settings\Temporary Internet Files\Content.IE5\3CJC3PA9\xgkdjqj7[1].exe (GMER)
    C:\Documents and Settings\Marie\Local Settings\Temporary Internet Files\Content.IE5\3CJC3PA9\dds[1].scr (DDS)


    For instance: if you have your browser set to delete temporary internet files each time you close it, you will lose the above.
    =======================
     
  5. Jeremyn

    Jeremyn TS Rookie Topic Starter

    Hey, thanks for the advice. Really appreciate it.
    I thought I uninstalled the Microsoft Security Essentials, so I just did a search for it and saw it was still on my computer under oldfiles. I think I deleted it completely now.
    I'm not sure how to save these programs to desktop though. When I tried to download them, it went to WinRAR, which I'm not used to. How do I download them to my desktop from there?
    I did the TDSSKiller scan, but accidentally hit cure. Does that make a difference, or should I do a system restore to last night and do another scan to quarantine it?

    Here's the log though

    TDSSKiller log:
    2011/02/01 14:47:18.0171 0308 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
    2011/02/01 14:47:18.0500 0308 ================================================================================
    2011/02/01 14:47:18.0500 0308 SystemInfo:
    2011/02/01 14:47:18.0500 0308
    2011/02/01 14:47:18.0500 0308 OS Version: 5.1.2600 ServicePack: 3.0
    2011/02/01 14:47:18.0500 0308 Product type: Workstation
    2011/02/01 14:47:18.0500 0308 ComputerName: 777C589584F24F0
    2011/02/01 14:47:18.0500 0308 UserName: Marie
    2011/02/01 14:47:18.0500 0308 Windows directory: C:\WINDOWS
    2011/02/01 14:47:18.0500 0308 System windows directory: C:\WINDOWS
    2011/02/01 14:47:18.0500 0308 Processor architecture: Intel x86
    2011/02/01 14:47:18.0500 0308 Number of processors: 1
    2011/02/01 14:47:18.0500 0308 Page size: 0x1000
    2011/02/01 14:47:18.0500 0308 Boot type: Normal boot
    2011/02/01 14:47:18.0500 0308 ================================================================================
    2011/02/01 14:47:19.0703 0308 Initialize success
    2011/02/01 14:47:25.0546 1652 ================================================================================
    2011/02/01 14:47:25.0546 1652 Scan started
    2011/02/01 14:47:25.0546 1652 Mode: Manual;
    2011/02/01 14:47:25.0546 1652 ================================================================================
    2011/02/01 14:47:30.0468 1652 Aavmker4 (479c9835b91147be1a92cb76fad9c6de) C:\WINDOWS\system32\drivers\Aavmker4.sys
    2011/02/01 14:47:32.0421 1652 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/02/01 14:47:33.0328 1652 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/02/01 14:47:34.0734 1652 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/02/01 14:47:35.0593 1652 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/02/01 14:47:38.0375 1652 AmdK8 (e6a2299284013ec4de3419481a62069f) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2011/02/01 14:47:39.0046 1652 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
    2011/02/01 14:47:41.0531 1652 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/02/01 14:47:43.0687 1652 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2011/02/01 14:47:44.0250 1652 aswMon2 (a1c52b822b7b8a5c2162d38f579f97b7) C:\WINDOWS\system32\drivers\aswMon2.sys
    2011/02/01 14:47:44.0921 1652 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\WINDOWS\system32\drivers\aswRdr.sys
    2011/02/01 14:47:45.0750 1652 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\WINDOWS\system32\drivers\aswSP.sys
    2011/02/01 14:47:47.0031 1652 aswTdi (1408421505257846eb336feeef33352d) C:\WINDOWS\system32\drivers\aswTdi.sys
    2011/02/01 14:47:47.0843 1652 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/02/01 14:47:48.0750 1652 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/02/01 14:47:51.0125 1652 ati2mtag (c8dc21751c5684a14ec075fdd2473719) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/02/01 14:47:53.0312 1652 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/02/01 14:47:54.0000 1652 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/02/01 14:47:55.0156 1652 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2011/02/01 14:47:56.0312 1652 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/02/01 14:47:57.0000 1652 CAMCAUD (80eb55b615ed0f669a28a96fefd4603f) C:\WINDOWS\system32\drivers\camc6aud.sys
    2011/02/01 14:47:58.0187 1652 CAMCHALA (ad1d8debdb1df8682e374e0cd1638c1b) C:\WINDOWS\system32\drivers\camc6hal.sys
    2011/02/01 14:47:59.0156 1652 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/02/01 14:48:00.0937 1652 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/02/01 14:48:01.0578 1652 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/02/01 14:48:02.0515 1652 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/02/01 14:48:04.0000 1652 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/02/01 14:48:05.0281 1652 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/02/01 14:48:08.0203 1652 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/02/01 14:48:09.0843 1652 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/02/01 14:48:11.0812 1652 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/02/01 14:48:12.0671 1652 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/02/01 14:48:13.0515 1652 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/02/01 14:48:14.0781 1652 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/02/01 14:48:16.0109 1652 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/02/01 14:48:17.0046 1652 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/02/01 14:48:17.0734 1652 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/02/01 14:48:18.0390 1652 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/02/01 14:48:19.0125 1652 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/02/01 14:48:19.0656 1652 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/02/01 14:48:20.0468 1652 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/02/01 14:48:21.0515 1652 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/02/01 14:48:22.0203 1652 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/02/01 14:48:22.0906 1652 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/02/01 14:48:24.0687 1652 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/02/01 14:48:26.0906 1652 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/02/01 14:48:27.0781 1652 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/02/01 14:48:29.0875 1652 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/02/01 14:48:30.0578 1652 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/02/01 14:48:31.0046 1652 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/02/01 14:48:32.0125 1652 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/02/01 14:48:33.0375 1652 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/02/01 14:48:34.0171 1652 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/02/01 14:48:35.0093 1652 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/02/01 14:48:36.0562 1652 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/02/01 14:48:37.0984 1652 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/02/01 14:48:39.0031 1652 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/02/01 14:48:40.0843 1652 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/02/01 14:48:41.0718 1652 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/02/01 14:48:42.0468 1652 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/02/01 14:48:43.0140 1652 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/02/01 14:48:43.0656 1652 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/02/01 14:48:45.0218 1652 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/02/01 14:48:46.0453 1652 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/02/01 14:48:47.0671 1652 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/02/01 14:48:48.0515 1652 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/02/01 14:48:50.0250 1652 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/02/01 14:48:50.0906 1652 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/02/01 14:48:51.0734 1652 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/02/01 14:48:52.0500 1652 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/02/01 14:48:53.0250 1652 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/02/01 14:48:53.0937 1652 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/02/01 14:48:54.0578 1652 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/02/01 14:48:55.0312 1652 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/02/01 14:48:55.0906 1652 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/02/01 14:48:56.0703 1652 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/02/01 14:48:57.0531 1652 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/02/01 14:48:58.0781 1652 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/02/01 14:48:59.0468 1652 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/02/01 14:49:00.0765 1652 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/02/01 14:49:01.0984 1652 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/02/01 14:49:02.0671 1652 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/02/01 14:49:03.0296 1652 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/02/01 14:49:04.0015 1652 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/02/01 14:49:04.0796 1652 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/02/01 14:49:05.0453 1652 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/02/01 14:49:06.0078 1652 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/02/01 14:49:06.0750 1652 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/02/01 14:49:07.0828 1652 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/02/01 14:49:08.0750 1652 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/02/01 14:49:13.0421 1652 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/02/01 14:49:14.0171 1652 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/02/01 14:49:14.0812 1652 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/02/01 14:49:15.0437 1652 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/02/01 14:49:16.0187 1652 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/02/01 14:49:19.0921 1652 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/02/01 14:49:20.0640 1652 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/02/01 14:49:21.0171 1652 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/02/01 14:49:21.0812 1652 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/02/01 14:49:22.0640 1652 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/02/01 14:49:23.0484 1652 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/02/01 14:49:24.0312 1652 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/02/01 14:49:25.0093 1652 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/02/01 14:49:25.0875 1652 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2011/02/01 14:49:26.0515 1652 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/02/01 14:49:27.0187 1652 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/02/01 14:49:27.0875 1652 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/02/01 14:49:29.0734 1652 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/02/01 14:49:30.0500 1652 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/02/01 14:49:31.0437 1652 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/02/01 14:49:32.0437 1652 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/02/01 14:49:33.0203 1652 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/02/01 14:49:36.0421 1652 SynTP (eb363ddfbe8b6d51003ccab29d93d744) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/02/01 14:49:37.0312 1652 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/02/01 14:49:38.0359 1652 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/02/01 14:49:39.0453 1652 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/02/01 14:49:40.0062 1652 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/02/01 14:49:41.0125 1652 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/02/01 14:49:42.0046 1652 tifm21 (c424f991494e5674f2e9b3cf9f5f55d1) C:\WINDOWS\system32\drivers\tifm21.sys
    2011/02/01 14:49:43.0640 1652 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/02/01 14:49:45.0234 1652 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/02/01 14:49:46.0281 1652 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/02/01 14:49:47.0000 1652 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/02/01 14:49:47.0656 1652 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/02/01 14:49:48.0156 1652 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/02/01 14:49:48.0968 1652 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/02/01 14:49:49.0609 1652 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/02/01 14:49:50.0203 1652 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/02/01 14:49:51.0359 1652 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/02/01 14:49:52.0203 1652 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/02/01 14:49:53.0421 1652 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/02/01 14:49:54.0609 1652 yukonwxp (9a916f4354eef85c535dd792754edc1d) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
    2011/02/01 14:49:55.0312 1652 {95808DC4-FA4A-4C74-92FE-5B863F82066B} (5867ce254625645345c833510d24f124) C:\Program Files\CyberLink\PowerDVD\000.fcl
    2011/02/01 14:49:55.0562 1652 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/02/01 14:49:55.0562 1652 ================================================================================
    2011/02/01 14:49:55.0562 1652 Scan finished
    2011/02/01 14:49:55.0562 1652 ================================================================================
    2011/02/01 14:49:55.0578 3048 Detected object count: 1
    2011/02/01 14:50:11.0875 3048 \HardDisk0 - will be cured after reboot
    2011/02/01 14:50:11.0875 3048 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/02/01 14:50:20.0343 1636 Deinitialize success
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for dealy- internet was down from Tuesday night to mid morning today!

    Okay, that look good. I'd like you to go ahead and run the following:
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  7. Jeremyn

    Jeremyn TS Rookie Topic Starter

    A log didn't pop up with the Eset, but I looked for it on Search, and this is the only log I found.
    If this isn't it, I'll run another scan.

    Eset Log:
    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=c298a248667eca43b19351699995c5ea
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-02-04 04:34:44
    # local_time=2011-02-03 11:34:44 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1032 16777189 100 95 0 39844622 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=56646
    # found=0
    # cleaned=0
    # scan_time=5624


    Combofix notified me about the Microsoft Security Essentials. I'm still not sure how to fully remove it, since I uninstalled it and deleted everything that came up in search. I can't find the process for it either, so I don't know how to fully remove the program.
    Here's the log.

    Combofix log:
    ComboFix 11-01-31.02 - Marie 02/04/2011 0:44.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.621 [GMT -5:00]
    Running from: C:\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Marie\Local Settings\Application Data\{C98F0231-88D1-4720-BA99-C4B0663ECFF7}
    c:\documents and settings\Marie\Local Settings\Application Data\{C98F0231-88D1-4720-BA99-C4B0663ECFF7}\chrome\content\_cfg.js
    c:\documents and settings\Marie\Local Settings\Application Data\{C98F0231-88D1-4720-BA99-C4B0663ECFF7}\chrome\content\overlay.xul
    c:\documents and settings\Marie\Local Settings\Application Data\{C98F0231-88D1-4720-BA99-C4B0663ECFF7}\install.rdf

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))
    .

    2011-02-04 02:43 . 2011-02-04 02:43 -------- d-----w- c:\program files\ESET
    2011-02-03 07:08 . 2011-02-04 05:18 -------- d-----w- c:\windows\system32\wbem\Logs
    2011-02-03 05:26 . 2011-02-03 05:53 -------- d-----w- c:\program files\VS Revo Group
    2011-02-02 19:35 . 2011-02-01 15:36 1360472 ----a-w- C:\TDSSKiller.exe
    2011-02-02 19:32 . 2009-04-22 04:02 1079296 ----a-w- C:\tempCleaner.exe
    2011-01-29 05:20 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2011-01-29 05:20 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
    2011-01-29 05:20 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
    2011-01-29 05:20 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
    2011-01-29 05:20 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2011-01-29 05:19 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
    2011-01-29 05:19 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
    2011-01-29 05:19 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2011-01-29 05:19 . 2008-04-14 10:39 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-01-28 19:08 . 2011-02-03 03:44 -------- d-----w- c:\program files\Alwil Software
    2011-01-28 19:08 . 2011-02-03 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-27 20:37 . 2011-01-27 20:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-27 02:02 . 2011-01-27 02:02 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-26 19:05 . 2011-01-26 19:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-01-26 04:49 . 2011-01-26 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
    2011-01-25 22:17 . 2011-01-25 22:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-01-25 21:39 . 2011-01-25 21:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-25 21:38 . 2011-01-26 05:07 0 ----a-w- c:\windows\Knomegefimifet.bin
    2011-01-09 16:21 . 2011-01-27 02:02 -------- d-----w- c:\program files\NetZero
    2011-01-09 06:29 . 2011-01-09 06:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-01 19:45 . 2011-02-01 19:46 1246371 ----a-w- C:\tdsskiller.zip
    2010-12-20 23:09 . 2010-03-20 17:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2010-03-20 17:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-18 18:12 . 2010-03-19 22:33 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52 . 2008-04-14 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-02-08 21:40 1362320 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-08 1362320]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-08 1362320]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-07 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
    "BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-17 91432]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-27 274608]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2010 2:07 AM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 07:07]

    2011-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 07:07]

    2011-02-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-1275210071-1417001333-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

    2011-02-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-1275210071-1417001333-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

    2011-02-04 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-02-08 21:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-04 00:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(796)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-02-04 00:56:03
    ComboFix-quarantined-files.txt 2011-02-04 05:55

    Pre-Run: 66,253,131,776 bytes free
    Post-Run: 66,278,494,208 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - E9CC2202228F4EF6C769CBC57190EB9C
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you want to keep MSE and just disable it for scans? Or did you want to uninstall it and use Avast instead? Let me know so I can include any left over entries in the script. I already have removals set up for AVG left overs.

    Edit: 2 more questions:
    1. I notice Japanese Keyboard drivers installed on 2001-08-18. There are 12 entries, all same date. Is this still in use?
    2. Do you have any idea what this file is? 2011-01-25 21:38:56 0 ----a-w- c:\windows\Knomegefimifet.bin
    Same day shows this folder: c:\docume~1\marie\locals~1\applic~1\{C98F0231-88D1-4720-BA99-C4B0663ECFF7}
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are badly infused with the Ask Toolbar. Many download screens have this pre-checked. We do not recommend having this. Check all screen carefully for pre-checks

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    C:\TDSSKiller.exe
    C:\tempCleaner.exe
    c:\windows\Knomegefimifet.bin
    C:\tdsskiller.zip
    Folder::
    C:\$AVG
    c:\docume~1\alluse~1\applic~1\Common Files
    c:\windows\system32\drivers\AVG
    c:\docume~1\alluse~1\applic~1\AVG10
    c:\program files\AVG
    DDS::
    BHO: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Scheduled Tasks
    This needs to be stopped:
    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    To change the settings for a task: right-click the Task> click Properties> do this for the Ask Update:
    • To delete a task> right-click the task> click Delete.
    Please go to Add/Remove Programs in the Control Panel. Uninstall any Ask related program. Then use Windows Explorer to delete program folder:
    Right click on Start> Explore> My Computer> Double click on Local Drive (C)> Programs> find the Ask folder and do a right click> Delete.
     
  10. Jeremyn

    Jeremyn TS Rookie Topic Starter

    Thanks for all the info!
    I want to get rid of Microsoft Security Essentials altogether and use Avast instead.
    I uninstalled Avast and downloaded AVG, hoping it would speed up my computer, though that wasn't the case. I think I got rid of AVG though, since it wasn't mentioned by Combofix, while it did have a notice about MSE.
    I'd rather stick with Avast, or whichever antivirus slows down the comp the least.

    I'm not sure if those drivers are in use, and I don't know what that file is.
    I got rid of the Ask toolbar and anything I could find connected to it.

    Here's the log.
    Combofix Log:
    ComboFix 11-01-31.02 - Marie 02/05/2011 0:41.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.517 [GMT -5:00]
    Running from: C:\ComboFix.exe
    Command switches used :: C:\CFScript.txt.txt
    AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    FILE ::
    "C:\TDSSKiller.exe"
    "C:\tdsskiller.zip"
    "C:\tempCleaner.exe"
    "c:\windows\Knomegefimifet.bin"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\alluse~1\applic~1\Common Files
    c:\docume~1\alluse~1\applic~1\Common Files\E125D410-8E37-35BA-8ABC-03039E14414C.dat
    c:\program files\ask.com\GenericAskToolbar.dll
    C:\TDSSKiller.exe
    C:\tdsskiller.zip
    C:\tempCleaner.exe
    c:\windows\Knomegefimifet.bin

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-05 to 2011-02-05 )))))))))))))))))))))))))))))))
    .

    2011-02-04 02:43 . 2011-02-04 02:43 -------- d-----w- c:\program files\ESET
    2011-02-03 07:08 . 2011-02-05 05:24 -------- d-----w- c:\windows\system32\wbem\Logs
    2011-02-03 05:26 . 2011-02-05 04:50 -------- d-----w- c:\program files\VS Revo Group
    2011-01-29 05:20 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2011-01-29 05:20 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
    2011-01-29 05:20 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
    2011-01-29 05:20 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
    2011-01-29 05:20 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2011-01-29 05:19 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
    2011-01-29 05:19 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
    2011-01-29 05:19 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2011-01-29 05:19 . 2008-04-14 10:39 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-01-28 19:08 . 2011-02-03 03:44 -------- d-----w- c:\program files\Alwil Software
    2011-01-28 19:08 . 2011-02-03 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-27 20:37 . 2011-01-27 20:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-27 02:02 . 2011-01-27 02:02 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-26 19:05 . 2011-01-26 19:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-01-25 22:17 . 2011-01-25 22:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-01-25 21:39 . 2011-01-25 21:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-09 16:21 . 2011-01-27 02:02 -------- d-----w- c:\program files\NetZero
    2011-01-09 06:29 . 2011-01-09 06:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 23:09 . 2010-03-20 17:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2010-03-20 17:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-18 18:12 . 2010-03-19 22:33 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52 . 2008-04-14 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-02-04_05.52.13 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-05 05:24 . 2011-02-05 05:24 16384 c:\windows\Temp\Perflib_Perfdata_204.dat
    + 2011-02-04 06:34 . 2011-02-04 06:35 3277312 c:\windows\Installer\3ce2d1.msi
    + 2011-02-04 06:22 . 2011-02-04 06:22 1568768 c:\windows\Installer\3ce2cd.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-07 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
    "BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-17 91432]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-27 274608]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys --> c:\windows\system32\DRIVERS\avgldx86.sys [?]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2010 2:07 AM 135664]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 07:07]

    2011-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 07:07]

    2011-02-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-1275210071-1417001333-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

    2011-02-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-1275210071-1417001333-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

    2011-02-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-02-08 21:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-05 00:50
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(844)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-02-05 00:53:55
    ComboFix-quarantined-files.txt 2011-02-05 05:53
    ComboFix2.txt 2011-02-04 05:56

    Pre-Run: 65,971,605,504 bytes free
    Post-Run: 65,961,857,024 bytes free

    - - End Of File - - DAC153A646D4936224C5291812C79B7F
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, we need to do a bit more cleaning up:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    KillAll::
    File::
    c:\windows\system32\DRIVERS\AVGIDSEH.Sys
    c:\windows\system32\DRIVERS\avgrkx86.sys
    c:\windows\system32\DRIVERS\avgldx86.sys
    c:\windows\system32\DRIVERS\AVGIDSDriver.Sys
    c:\windows\system32\DRIVERS\AVGIDSFilter.Sys 
    c:\windows\system32\DRIVERS\AVGIDSShim.Sys
    c:\progra~1\AVG\AVG10\avgrsx.exe
    c:\program files\Ask.com\UpdateTask.exe 
    SecCenter:
    {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    
    Driver::
    AVGIDSEH
    Avgrkx86
    Avgldx86
    Avgtdix
    AVGIDSDriver
    AVGIDSFilter
    AVGIDSShim
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    If there are any AVG files remaining after running the script above, please run this:
    Download AppRemover and save to the desktop.
    How to Use AppRemover to Remove a Complete Security Application
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    How to Use AppRemover to Clean Up a Failed Uninstall
    1. Return to Step 1 above
    2. Check Clean Up Failed Uninstall> Click Next
    3. Allow program to rescan for the security program failed the uninstall
    4. Carefully Choose which application to uninstall> Next
    5. Follow prompts to close and Exit.
    .
    =========================================
    1. I have moved the MSE from the Combofix header.
    2. Use the msconfig utility to go to the Startup Menu. Uncheck any entry for AVG. Looks like it's set to start on boot.
    3. The Ask Toollbar is still showing in Scheduled Updates. Please remove it as requested.
    ====================================
    What is the status of the Slow PC, popups and AV problems?
     
  12. Jeremyn

    Jeremyn TS Rookie Topic Starter

    I ran the scan with the code you gave me. I don't see any traces of AVG in the startup of MSconfig, so I guess it's completely gone.
    The Ask toolbar should be gone as well.
    EDIT: I see the Ask mentioned in the log. I went to scheduled tasks (but had to go through Control Panel, since I didn't see System Tools in Accessories) and deleted it after the previous Combofix scan, so I'm not sure where it's hiding now. Is there another way to access a list of Scheduled Tasks, in case the folder in Control Panel isn't the one you meant?
    I think the MSE is still on it though.

    I don't have any popups, the only antivirus problem is that MSE is still on my comp, but it is still running fairly slowly. The audio/video is also choppy, I'm assuming due to the slow speed.

    Combofix log:
    ComboFix 11-02-05.01 - Marie 02/06/2011 15:04:46.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.515 [GMT -5:00]
    Running from: C:\ComboFix.exe
    Command switches used :: C:\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    FILE ::
    "c:\progra~1\AVG\AVG10\avgrsx.exe"
    "c:\program files\Ask.com\UpdateTask.exe"
    "c:\windows\system32\DRIVERS\AVGIDSDriver.Sys"
    "c:\windows\system32\DRIVERS\AVGIDSEH.Sys"
    "c:\windows\system32\DRIVERS\AVGIDSFilter.Sys"
    "c:\windows\system32\DRIVERS\AVGIDSShim.Sys"
    "c:\windows\system32\DRIVERS\avgldx86.sys"
    "c:\windows\system32\DRIVERS\avgrkx86.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_AVGIDSDRIVER
    -------\Legacy_AVGIDSEH
    -------\Legacy_AVGIDSFILTER
    -------\Legacy_AVGIDSSHIM
    -------\Legacy_AVGLDX86
    -------\Legacy_AVGRKX86
    -------\Legacy_AVGTDIX
    -------\Service_AVGIDSDriver
    -------\Service_AVGIDSEH
    -------\Service_AVGIDSFilter
    -------\Service_AVGIDSShim
    -------\Service_Avgldx86
    -------\Service_Avgrkx86
    -------\Service_Avgtdix


    ((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
    .

    2011-02-05 06:40 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-02-05 06:40 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-05 06:40 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-05 06:40 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-05 06:40 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-02-05 06:40 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-02-05 06:40 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-02-05 06:38 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
    2011-02-05 06:38 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-04 02:43 . 2011-02-04 02:43 -------- d-----w- c:\program files\ESET
    2011-02-03 07:08 . 2011-02-06 20:22 -------- d-----w- c:\windows\system32\wbem\Logs
    2011-02-03 05:26 . 2011-02-05 04:50 -------- d-----w- c:\program files\VS Revo Group
    2011-01-29 05:20 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
    2011-01-29 05:20 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2011-01-29 05:20 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
    2011-01-29 05:20 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
    2011-01-29 05:20 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
    2011-01-29 05:20 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2011-01-29 05:19 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
    2011-01-29 05:19 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
    2011-01-29 05:19 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2011-01-29 05:19 . 2008-04-14 10:39 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-01-28 19:08 . 2011-02-05 06:36 -------- d-----w- c:\program files\Alwil Software
    2011-01-28 19:08 . 2011-02-05 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-27 20:37 . 2011-01-27 20:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-27 02:02 . 2011-01-27 02:02 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-26 19:05 . 2011-01-26 19:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-01-25 22:17 . 2011-01-25 22:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-01-25 21:39 . 2011-01-25 21:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-09 16:21 . 2011-01-27 02:02 -------- d-----w- c:\program files\NetZero
    2011-01-09 06:29 . 2011-01-09 06:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 23:09 . 2010-03-20 17:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2010-03-20 17:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-18 18:12 . 2010-03-19 22:33 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52 . 2008-04-14 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-02-04_05.52.13 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-06 20:21 . 2011-02-06 20:21 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
    + 2011-02-04 06:34 . 2011-02-04 06:35 3277312 c:\windows\Installer\3ce2d1.msi
    + 2011-02-04 06:22 . 2011-02-04 06:22 1568768 c:\windows\Installer\3ce2cd.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-07 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
    "BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-17 91432]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-27 274608]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/5/2011 1:40 AM 294608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/5/2011 1:40 AM 17744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/8/2010 2:07 AM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 07:07]

    2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 07:07]

    2011-02-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-1275210071-1417001333-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

    2011-02-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-1275210071-1417001333-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-06 15:23
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(808)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(3820)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\CyberLink\Shared files\RichVideo.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-06 15:30:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-06 20:30
    ComboFix2.txt 2011-02-05 05:53
    ComboFix3.txt 2011-02-04 05:56

    Pre-Run: 65,733,029,888 bytes free
    Post-Run: 65,670,168,576 bytes free

    - - End Of File - - 3B55F3083C099A992F0D7FAD3B060045
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry about the messy Reply #11. Every once in a while, when I run a Google spell check, it messes up the tags or letters at the end of a line. Keep the AppRemover handy- you may need it some time!

    So you followed the path I gave you and System Tools was missing the Scheduled Tasks? Do you know if any other functions are missing? My system are Dell and I found that Dell added another 'Accessories folder in addition to the one through All Programs. I finally got everything moved to one folder.

    Using Scheduled Tasks in the Control Panel just gives you the wizard to add a task, not remove.

    For MSE: Windows XP
    1. Click Start, click Run, type appwiz.cpl in the Run text box, and then click OK.
    2. Select Microsoft Security Essentials, and then click Uninstall.
    3. Restart the computer
    =============================
    I ask you if you were still using the 9 entries for the Japanese keyboard:
    2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    If not, I can remove them.
    ======================
    About 'Slow:' Our Windows XP Home system have been round for a while. Unless you are using an overwriting program like Eraser, all those entries you 'deleted' are still on the system, until it gets so full of 'trash' it overwrites on it's own. But that's way down the line. Doing routine maintenance with disc cleanup, defrag and using a program like TFC in between (I don't like CCleaner).

    How much installed RAM do you have on the old bear? We were given 256mb originally, then found we needed to double that to get any decent performance. Then found that 1024mb was even better!
    ======================================
    Run a HijackThis scan for me and I'll have you check entries that don't need to be running:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  14. Jeremyn

    Jeremyn TS Rookie Topic Starter

    Don't worry about it, no need to apologize.
    I'm not sure which functions I'm supposed to have actually, so I don't know what else I'm missing.
    Oh, that was how I uninstalled MSE initially. I also deleted any file which came up in Search. How come it's still a process then?
    I've also done TFC cleans since uninstalling it.
    If the Japanese keyboard files are from 2001, I guess I'll keep them.
    I think it's the 1024, at least that's what it said when I looked up the specs for this laptop.
    Thanks a lot for bearing with me!

    Here's the log.

    HijackThis log:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:47:41 PM, on 2/6/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\HijackThis.exe
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1269104160531
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 7842 bytes
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The only processes you need on Startup are:
    Antivirus program
    Firewall if you have 3rd party firewall (like Comodo or ZoneAlarn)
    Touchpad if on laptop
    Network processes if using Pure Networks/Cisco

    Nothing else
    So I'm going to have you check everything you don't need running in the background, then you ccan uncheck on Startup using msconfig:

    Pl;ease reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\iPod\bin\iPodService.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe


    Close all Windows except HijackThis and click on "Fix Checked."
    ============================================

    • [1].Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      [2]. Take off Startup:
    • Start> Run> type in msconfig>enter> Selective Startup> Startup menu>
    • Uncheck any process you don't want to start on boot>
    • when finished with all the unchecking[/B]> click on Apply> OK
      (Example: you decide you don't need Cyberlink to start on boot: so you Uncheck NAME of Process

      [3]. Uninstall a program:
      [*]Start> Settings> Control Panel> Add/Remove Programs> uninstall here> Close

      [4]. Remove program folder (only if program is uninstalled)
      [*]Access Windows Explorer:
      Right click on Start> Explore:
      [*]Open My Computer> double click on Local Drive (C)> Programs
      [*] Find the folder for any program you uninstalled> do a right click> Delete on each folder.
      [*]Close Windows Explorer.

      [5]. Change Service Startup type
      [*]Start> Run> type in services.msc
      [*] double click the Service> Change the Startup type as follows:
      [o]For a Service related to a program you will use as needed but does no start on boot> Manual
      [o]For a Service related to a program you have uninstalled> Disable Startup type> stop Service
      [*]Close Services.


    Reboot the computer back into Normal Mode: NOTE: the first time you reboot after using msconfig, you get a nag message that you can ignore and close after checking 'don show this message again.' Stay in Selective Startup.

    Summary:

    • [1]. Boot into Safe Mode first.
      [2]. Uncheck the process on the Start menu to stop the process from starting on boot.
      [3]. uninstall any program or app you don't need or use,
      [4]..Remove the program folder if you uninstalled the program.
      [5]. Change any associated Service to either Disabled or Manual Startup.
     
  16. Jeremyn

    Jeremyn TS Rookie Topic Starter

    I did all that, but the computer is still running a lot slower than it did 2 or 3 weeks ago (before the virus).
    Is there anything else I can do to or get rid of to speed it up?

    Thanks a lot for all the help, it's really appreciated!
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome- but I have no magic rabbit in my hat!

    If you stopped the processes in HJT I had you check and if you took the unnecessary programs off of Startup and if you have uninstalled any programs you're not using and if you really do have 1024MB of RAM, no. Or you can run the RAM chips through memtest.

    Go to the Control Panel> System> How much RAM does it say you have installed?
    What type of connection do you have? I see Net Zero- isn't that only dial-up?

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...