Another messed up system

[Gouge]

After installing XP SP3 and AVG 8, my pc slowed right down. I unsuccessfully uninstalled SP3 and had to re-install XP SP2 from the original disc. It's taken me weeks to get most of my applications back, but my pc is still slow. CPU spikes create havoc with my Audigy 2 ZS soundcard.

I uninstalled a number of old applications to release space and re-installed the soundcard software. I appears that the registry doesn't get fully changed when I uninstall programs because the installer quit saying that the software was already installed.

I also ran Spyware Detector and Malwarebytes, which picked up and deleted several "nasties" that AVG failed to find.

I've run Hijackthis and attached the log.

Can you help please?

 

[mflynn]

Hi Gouge

You should have come here first because SP3 was not your real issue. There is an issue with AVG after installing SP3. But AVG should have been uninstalled and reinstalled. In addition Avg's Link scanner is a slowdown.

I want you to uninstall AVG when I tell you and using the Revo Advanced uninstaller but not now.

We want to clean your system of Malware first.

Open MBAM and click logs. Attache me back all logs 1 at a time.
While in MBAM UPDATE again even if you already did earlier today.
then Click settings and confirm all are Checked.

Then run another mbam (but post the other logs first) then post me the new mbam log.

After that Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Skip no steps (do not install another virus scanner as you already have one).

Of course you can skip the MalwareBytes as you have already done that!

Most importantly update MalwareBytes and SuperAntiSptware!

Before you scan with SuperAntiSpyWare do the below:

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Your HJT log is reasonably clear no need to post another as I will request one when needed after we are clean.

Mike

 

[Gouge]

Yes you are right. With hindsight, life would be much easier!

Anyway, thanks for offering to help. I only ran MBAM once on the advice of a friend, so I've attached the log.

I've also attached the recent export log from Spyware Detector, in case it might also help.

I'm now running a full scan using an updated MBAM. I'll send that when completed.

Thanks again.

 

[Gouge]

I'm in the process of running MBAM full scan but it seems to be so slow.

It has been running for 90 mins and has scanned 56200 objects.

In Task Manager I notice that on mbam.exe there have been over 2,400,000 page faults! Is this the problem?

In the past, when I ran MS diskscan I had to leave it overnight to complete.

 

[mflynn]

I don't know about the page faults that sounds like other and perhaps hardware problems.

MBAM is very thorough and can take a while based on Processor speed HD speed size of drive and how full/number of files.

It also could be your Spyware detector and or AVG interfering, did you turn them off. If not do so without exiting MBAM.

This week I had one person that it took 6 hours to run.

We need to get thu it and SAS then we will look at the system.

Mike

 

[Gouge]

False Alarm!!

I've found that Page Faults is badly named. Not a fault at all but just the system loading pages to RAM.

Not a problem after all - I'll carry on scanning fr as long as it takes.

 

[mflynn]

Ohhh nooo

Page faults are not mundane this is not good. Could be a RAM issue. You are lucky as if they were severe enough you would likely be blue screening

Is the scan showing activity and you are sure it is progressing?

Mike

 

[Gouge]

Yes, the scan is progressing slowly. I've also disabled AVG8 and Spyware Detector.

It could be quite a while before I have the logs from the 8-step process so please don't think I've abandoned the thread!

BTW I found the "Page Fault" response through a Google search. There were many entries saying it was not a fault.

I'll play safe and take your advice.

Thanks Mike

 

[DelJo63]

don't get side-tracked re page-faults. The scanning is ripping tons of files into memory, examining them and moving on.
If done right, the working set ought to be huge and page-faults to be expected. Your I/O bandwidth will be the limiting issue
and fragmentation of the pagefile a real nuisance BUT IGNORE all of this for now.

 

[Gouge]

OK, I followed the 8-step process and I've attached the logs.

Although I have full AVG8 Suite installed, I have no faith in its anility to provide me with adequate protection, so I ran AVAST and SuperAntiSpyware instead. Sure enough they appear to have found items that AVG had missed.

Please advise me on how to proceed now.

 

[mflynn]

Hi Gouge

Good job!

Run HJT Scan only Select and remove the below
O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

Having more than one online active Virus Scanner is not good they fight each other sometimes giving less protection.

If you don't trust AVG then uninstall it. But recently it has been difficult to uninstall.

Use Revo http://www.revouninstaller.com/ and later for all other unistalls

Install update the run chose AVG8 select the bottom Advance uninstall it will then run the normal uninstall that would be run from Add/Remove programs. Click next and it will present leftover registry items that the uninstall process missed select all delete then click next it will then present Files and Folders also left by the uninstall select all delete.

Reboot

Then ...
AVG after uninstall cleanup tool https://www.techspot.com/vb/post689349-14.html

Now you should be clean of AVG.

Now due to the fact there were mbam and sas logs we did not see and also your SpywareDetector we need to run perhaps a couple more cleaners to be sure.

So..

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike

 

[Gouge]

I think that I need more info here, Mike!
I downloaded ComboFix onto my desktop, double-clicked the icon, clicked "run" and all I got was a blue ComboFix screen with a flashing cursor! No text prompts - nothing. There was no obvious cpu activity, even though Task Manager showed the process was running.

I tried both download sites with the same results.

When I tried to close the process, nothing happened, everything had frozen up and I had to reboot each time.

Am I doing something wrong here?

BTW AVG uninstalled ok and I have AVAST running.

 

[mflynn]

Ok we still have issues unless you have had Combofix before?

We may have something that recognizes Combofix and has been programed to disable or prevent run. Or just a corrupted combofix install.

Go to Start-Run and type or paste the following combofix /u

Then do this.

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/R...ools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

 

[mflynn]

Cleared double post by me

Mike

 

[Gouge]

The link didn't work, but I managed to download SDFix from another site and run it.

Report attached.

(For info, when I reboot, it takes 70 secs for the Windows XP splash screen to load, i.e from POST until the XP screen clears and starts to load the desktop. I'm sure that it takes far longer than when the system was operatiing normally.)

 

[mflynn]

Ok do this when go to bed or work as it takes a long while. Very deep scan,

Download and extract/install http://www.majorgeeks.com/Kaspersky_AVP_Tool_d4515.html

Boot to Safe Mode to run. Will take hours but worth it.

Mike

 

[Gouge]

I managed to get ComboFix to work!!

I've attached the log.

I'll run the AVP Tool this evening and leave it running overnight as suggested.

 

[mflynn]

OK great found and removed some more. Run Combofix once more to see it come up clean.Attach log.

Then do the below after the AVP Tool.

Download RSIT
http://images.malwareremoval.com/random/RSIT.exe

Run it, when finished it will open a log Maximized on the screen, attach the contents of this log back here then close that log.

Then the 2nd log is Minimized so Max it and attach it also.
The logs will contain a HighJackThis log also so no need to poste a seperate one..

Mike

 

[Gouge]

OK, will do.

Forgot to attach the HJT log on last reply.

Also ran Spyware Detector which found more infections. They must have crept in when I had the defences down to run ComboFix.

See attachments

 

[Gouge]

Major problems!!!!!!!

I downloaded AVP and installed it. Explorer said there was a problem with the installation!!??

Howevere, I went to safe mode and tried to run it and it failed to run. However, when I went back to normal mode, AVP kept trying to start and failed.

The system slowed down and I had trouble in uninstalling AVP. There might still be some traces so I'll run CCleaner again. Then I'll attempt another download and install.

BTW I've also had problems accessing your website, even from a different PC. I gave up trying to submit the latest ComboFix log. It looked clean anyway.

 

[mflynn]

Ok you are the second one this week that had issues with AVP not running.

It does have issues uninstalling but I can handle that. But the fact it want run concerns me as it may indicate Malware that is programed to block AVP from running.

So lets get rid of AVP.

In TaskManager end all processes called avp.exe

Browse to and run C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\unins000.exe.

The above may not work, but proceed below if it does or not.

When prompted to, click "yes" and restart your computer.

Once back up

Download AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Extract and run AutoRuns, give it a few seconds to populate then click the Everything Tab to make it selected.

Then do a ctrl-f for find. Type in AVP and find.
Click each AVP line to highlight the uncheck the box then rt click the line and delete it.

Once gone ctrl-f to find next same as above.

If any will not delete leave unchecked and continue as after the rest are gone and you have rebooted then you will be able to remove any that would not delete.

After AVP operation above slide the side slider to the top and click to highlight the first entry so to begin new search from here. The do ctrl-f and change search to kaspersky and remove as above.

While in AutoRuns lets get something else not related to AVP.

Slide back to top click top entry to begin search from there. ctrl-f search for "File not found" without quotes.

All computer will have several of these, so delete them all.

Reboot and if all is weel and AVP toll is gone we will proceed differently.

Mike

 

[Gouge]

Uninstalled AVP and tried a fresh download and run, but still failed.

Fully uninstalled AVP now, plus dozens of "File not found".

I've also attached the last ComboFix log.

Eagerly waiting for next steps!

 

[mflynn]

Open MBAM Update then click More Tools-Run Tool

Copy and paste the below line to File name and click OK answer yest to delete.

c:\windows\{00000000-00000000-0000000D-00001102-00000004-20021102}.BAK
----------------------------------------------------------------------------------------------------------------------------------------------------
D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.
It has no log just let me know what it found as it will be only a couple since running the other tools.
----------------------------------------------------------------------------------------------------------------------------------------------------

Then do Smitfraudfix downlaod and instructions here http://siri.geekstogo.com/SmitfraudFix.php

Mike

 

[Gouge]

OK done all of that.

Xclean found a Spy_Agent_ak in the HKEY/Current....Control Panel/Load.

Not sure what SmitFraudFix found. There were no instructions so I went through each option in turn.

Now my system is cleaner than most, I still suffer from an exceptional bootup time, even in Safe mode.

Any thoughts on what is causing this?

 

[mflynn]

The instructions were on the same screen you downloaded from with screen views and all.

Browse and attach the Smitfraud log C:\rapport.txt.

It never ceases to amaze me that a not very well known program like XClean from a very well know and very reputable company Xblock can still find Malware after all the others we ran. But I have seen this one do it often.
----------------------------------------------------------------------------------------------------------------------------------------------------
For slow boot

Download Dial-A-Fix (DAF)

http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Process Idle Tasks
Reset WMI/WBEM (not reinstall)

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest!
----------------------------------------------------------------------------------------------------------------------------------------------------
Clean and tweak services

In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

Nothing is un-installed or deleted only disabled from running!

They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

Disabled uses no memory (RAM) and no CPU cycles.
Manual uses the RAM but a small amount of CPU.
Auto and not started they use even more RAM and CPU.
Auto and started even more RAM and CPU ..

Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Fast User switching
Health Key and Certificate Management Service
Indexing service
Messenger
Net logon
Net.TCP Port Sharing
NetMeeting Remote Desktop Sharing
IPsec services
QoS RSVP
Remote Registry
Uninterruptable power supply
Universal Plug and play
Web Client
Windows media player Network Sharing

IF you are using a wired network card and "NOT" using wireless on this computer then you can
also disable

Wireless Zero configuration

Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

This is not to be confused with Wired Auto Config do not disable that!
----------------------------------------------------------------------------------------------------------------------------------------------------
Look here but DAF did the BootViz above so no need to do it again.

http://www.annoyances.org/exec/forum/winxp/n1041630673

Mike