Solved Computer runs extremely slow, can't find cause, must be infected...

Status
Not open for further replies.

cehines

Posts: 16   +0
I've noticed our Windows Vista computer runs extremely slow for the last month or so. I've tried installing Spybot and Adaware and ran scans, which they got rid of what they found, but they really didn't find much, so I'm guessing this must be hiding well. Spybot only found one. Adaware found 39. Each removed all, but the pc still seems extremely slow. My virus scanner, McAfee, is up to date. I decided to run Hijack this and post the log to here for some additional analysis. Thanks in advance.
 

Attachments

  • hijackthis.log
    9 KB · Views: 0
Please don't close this thread...

I'm still in the process of running all of the steps you outlined in the original post. I'll post back the logs you requested when done, it is taking a while to run all of the stuff. Thanks.
 
Ok, here are the logs you requested...

Thanks for your patience...I have included them all as attachments. If you need any of them to be cut and pasted let me know, some were a little large to cut and paste. Thanks, if you have any additional questions also, please let me know. Thanks again, in advance, sorry again that I took so long.
 

Attachments

  • Attach.txt
    4.6 KB · Views: 0
  • DDS.txt
    13.5 KB · Views: 1
  • gmer.log
    179.5 KB · Views: 2
  • mbam-log-2010-08-18 (21-27-20).txt
    1.1 KB · Views: 2
Thank you :)

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Additional logs...

Thanks. Below are the contents of the MBR check log, I've attached theCombofix one:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 546
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 142):
0x81E41000 \SystemRoot\system32\ntkrnlpa.exe
0x81E0E000 \SystemRoot\system32\hal.dll
0x80402000 \SystemRoot\system32\kdcom.dll
0x80409000 \SystemRoot\system32\PSHED.dll
0x8041A000 \SystemRoot\system32\BOOTVID.dll
0x80422000 \SystemRoot\system32\CLFS.SYS
0x80463000 \SystemRoot\system32\CI.dll
0x80543000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805BF000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80605000 \SystemRoot\system32\drivers\acpi.sys
0x8064B000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80654000 \SystemRoot\system32\drivers\msisadrv.sys
0x8065C000 \SystemRoot\system32\drivers\pci.sys
0x80683000 \SystemRoot\System32\drivers\partmgr.sys
0x80692000 \SystemRoot\system32\drivers\volmgr.sys
0x806A1000 \SystemRoot\System32\drivers\volmgrx.sys
0x806EB000 \SystemRoot\system32\drivers\pciide.sys
0x806F2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80700000 \SystemRoot\System32\drivers\mountmgr.sys
0x80710000 \SystemRoot\system32\drivers\atapi.sys
0x80718000 \SystemRoot\system32\drivers\ataport.SYS
0x80736000 \SystemRoot\system32\drivers\fltmgr.sys
0x80768000 \SystemRoot\system32\drivers\fileinfo.sys
0x80778000 \SystemRoot\system32\DRIVERS\Lbd.sys
0x80787000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x86E0C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x86E7D000 \SystemRoot\system32\drivers\ndis.sys
0x86F88000 \SystemRoot\system32\drivers\msrpc.sys
0x86FB3000 \SystemRoot\system32\drivers\NETIO.SYS
0x87007000 \SystemRoot\System32\drivers\tcpip.sys
0x870F4000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8720A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8731A000 \SystemRoot\system32\drivers\volsnap.sys
0x87353000 \SystemRoot\System32\Drivers\spldr.sys
0x8735B000 \SystemRoot\System32\Drivers\mup.sys
0x8736A000 \SystemRoot\System32\drivers\ecache.sys
0x87391000 \SystemRoot\system32\drivers\disk.sys
0x873A2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x873C3000 \SystemRoot\system32\drivers\crcdisk.sys
0x873EC000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8710F000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8C802000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x8711F000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8CDE7000 \SystemRoot\System32\drivers\watchdog.sys
0x8D001000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8D08E000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8D0BD000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8D0D5000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8D0DF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8D11D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8D12C000 \SystemRoot\system32\DRIVERS\BLKWGD.sys
0x8D19E000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x871BE000 \SystemRoot\system32\DRIVERS\storport.sys
0x8D1CD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D1D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D1EF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x80790000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x86FEE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x807B3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x807C7000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x807DC000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8CDF3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x873F5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8D1FA000 \SystemRoot\system32\DRIVERS\swenum.sys
0x805CC000 \SystemRoot\system32\DRIVERS\ks.sys
0x87200000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x807EC000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D400000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8D435000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D446000 \SystemRoot\system32\drivers\HdAudio.sys
0x8D485000 \SystemRoot\system32\drivers\portcls.sys
0x8D4B2000 \SystemRoot\system32\drivers\drmk.sys
0x8D4D7000 \SystemRoot\system32\drivers\viahduaa.sys
0x8D5D8000 \SystemRoot\system32\DRIVERS\mozy.sys
0x8D5EB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D5F4000 \SystemRoot\System32\Drivers\Null.SYS
0x87000000 \SystemRoot\System32\Drivers\Beep.SYS
0x807F9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x86E00000 \SystemRoot\System32\drivers\vga.sys
0x8DA0A000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8DA2B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8DA33000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8DA3B000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8DA46000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8DA54000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8DA5D000 \SystemRoot\system32\drivers\mfetdik.sys
0x8DA69000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8DA7F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8DA96000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8DA98000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8DAA1000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8DAB1000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8DABA000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0x8DAC1000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8DAC9000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x8DAD6000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x8DAE0000 \SystemRoot\system32\DRIVERS\smb.sys
0x8DAF4000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DB26000 \SystemRoot\system32\drivers\afd.sys
0x8DB6E000 \SystemRoot\system32\DRIVERS\vsdatant.sys
0x8DC05000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DC1B000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DC29000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8DC3C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DC78000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DC82000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0x8DC89000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DCA0000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x8DCB6000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8DCC3000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8DCCE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x96A20000 \SystemRoot\System32\win32k.sys
0x8DCD6000 \SystemRoot\System32\drivers\Dxapi.sys
0x8DCE0000 \SystemRoot\system32\DRIVERS\monitor.sys
0x96C40000 \SystemRoot\System32\TSDDD.dll
0x96C60000 \SystemRoot\System32\cdd.dll
0x8DCEF000 \SystemRoot\system32\drivers\luafv.sys
0x8DD0A000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8DD1A000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8DD44000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8DD4E000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x99C0D000 \SystemRoot\system32\drivers\spsys.sys
0x99CBD000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0x99CC5000 \SystemRoot\system32\drivers\HTTP.sys
0x99D32000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x99D4F000 \SystemRoot\system32\DRIVERS\bowser.sys
0x99D68000 \SystemRoot\System32\drivers\mpsdrv.sys
0x99D7D000 \SystemRoot\system32\drivers\mrxdav.sys
0x99D9E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x99DBD000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x8DD61000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x8DD79000 \SystemRoot\System32\DRIVERS\srv2.sys
0x8DDA0000 \SystemRoot\System32\DRIVERS\srv.sys
0x9F809000 \SystemRoot\System32\Drivers\fastfat.SYS
0x9F831000 \SystemRoot\system32\drivers\peauth.sys
0x9F90F000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9F919000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9F925000 \SystemRoot\system32\drivers\mfehidk.sys
0x9F94F000 \SystemRoot\system32\drivers\mfebopk.sys
0x9F956000 \SystemRoot\system32\drivers\mfeapfk.sys
0x9F965000 \SystemRoot\system32\drivers\mfeavfk.sys
0x776C0000 \Windows\System32\ntdll.dll

Processes (total 80):
0 System Idle Process
4 System
380 C:\Windows\System32\smss.exe
456 csrss.exe
524 C:\Windows\System32\wininit.exe
532 csrss.exe
580 C:\Windows\System32\winlogon.exe
608 C:\Windows\System32\services.exe
624 C:\Windows\System32\lsass.exe
632 C:\Windows\System32\lsm.exe
792 C:\Windows\System32\svchost.exe
856 C:\Windows\System32\svchost.exe
892 C:\Windows\System32\svchost.exe
960 C:\Windows\System32\Ati2evxx.exe
1024 C:\Windows\System32\svchost.exe
1076 C:\Windows\System32\svchost.exe
1092 C:\Windows\System32\svchost.exe
1160 C:\Windows\System32\audiodg.exe
1184 C:\Windows\System32\svchost.exe
1200 C:\Windows\System32\SLsvc.exe
1232 C:\Windows\System32\svchost.exe
1304 C:\Program Files\DELL\DellDock\DockLogin.exe
1380 C:\Windows\System32\Ati2evxx.exe
1400 C:\Windows\System32\svchost.exe
1508 C:\Windows\System32\ZoneLabs\vsmon.exe
1972 C:\Windows\System32\dwm.exe
1996 C:\Windows\explorer.exe
296 C:\Program Files\DELL\DellDock\DellDock.exe
1064 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
1292 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1872 C:\Windows\System32\spoolsv.exe
1992 C:\Windows\System32\taskeng.exe
1932 C:\Windows\System32\svchost.exe
1532 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1724 C:\Program Files\Bonjour\mDNSResponder.exe
1700 C:\Windows\System32\dlbfcoms.exe
2060 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
2112 C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
2208 C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
2296 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
2336 C:\Program Files\MozyHome\mozybackup.exe
2408 C:\Windows\System32\svchost.exe
2424 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2460 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2492 C:\Windows\System32\svchost.exe
2500 naPrdMgr.exe
2548 C:\Windows\System32\svchost.exe
2588 C:\Windows\System32\SearchIndexer.exe
2900 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
3176 C:\Program Files\MozyHome\mozybackup.exe
3960 unsecapp.exe
2120 WmiPrvSE.exe
2964 C:\Program Files\Windows Defender\MSASCui.exe
2564 C:\Windows\System32\mobsync.exe
1796 C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
3420 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
3832 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
2032 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
3612 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
3248 C:\Program Files\Dell AIO Printer A960\dlbfmon.exe
3628 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2088 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
3368 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
2916 C:\Windows\System32\wbem\unsecapp.exe
3808 C:\Program Files\Windows Sidebar\sidebar.exe
3400 C:\Program Files\Content Manager\CmTray.exe
3444 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2844 C:\Program Files\MozyHome\mozystat.exe
3412 C:\Program Files\McAfee\Common Framework\Mctray.exe
4748 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
5516 C:\Windows\System32\taskeng.exe
5580 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
5616 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2912 C:\Program Files\Internet Explorer\iexplore.exe
3660 C:\Program Files\Internet Explorer\iexplore.exe
5564 C:\Windows\System32\Macromed\Flash\FlashUtil10h_ActiveX.exe
4944 C:\Program Files\Internet Explorer\iexplore.exe
5276 C:\Windows\System32\SearchProtocolHost.exe
2908 C:\Windows\System32\SearchFilterHost.exe
1896 C:\Users\Chuck\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`ac000000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`02800000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-75L9A0, Rev: 02.03E02

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Dell Inspiron MBR code detected
SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B


Done!
 

Attachments

  • ComboFix.txt
    14.3 KB · Views: 2
I can see, you ran Combofix before.
Please go to C:\Qoobox and post ComboFix2.txt content.
 
Combofix2.log

Yeah, I ran it the first time and noticed that I didn't the Windows Defender shut down, so I figured I'd better run it again since you said not to have Malware-defending programs not enabled.
 

Attachments

  • ComboFix2.txt
    14.6 KB · Views: 1
Combofix log looks clean.

Are you still using ZoneAlarm firewall, or I just see some leftovers?

How is computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
OTL logs...

I'm still using the ZoneAlarm firewall program. Also, my computer still doesn't really seem to be any better as of now. It is very slow to load anything.
I'm attaching the OTL.log, as I got an error when I tried to cut and paste it, "The following errors occurred with your submission:
The text that you have entered is too long (52082 characters). Please shorten it to 20000 characters long. "
 

Attachments

  • OTL.Txt
    101.4 KB · Views: 3
Extras.txt...

I got the same error with this file, so I'm adding it as an attachment too...
 

Attachments

  • Extras.Txt
    42.2 KB · Views: 1
Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

==========================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll File not found
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:A8ADE5D8
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:DFC5A2B2
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

====================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

  • Disable your active antivirus program.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Logs requested now...

Updated Java...

Then ran JavaRa...

Log is attached...

Ran OTL...


OTL LOG:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
ADS C:\ProgramData\Temp:A8ADE5D8 deleted successfully.
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Brady
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 20310966 bytes
->Flash cache emptied: 456 bytes

User: Christi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 55588310 bytes
->Flash cache emptied: 4120 bytes

User: Chuck
->Temp folder emptied: 3516970 bytes
->Temporary Internet Files folder emptied: 161519010 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1393 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gabrielle
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8965028 bytes
->Flash cache emptied: 456 bytes

User: Hines
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 43179202 bytes
->Flash cache emptied: 1066 bytes

User: Public
->Temp folder emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 71421379 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 348.00 mb


[EMPTYFLASH]

User: All Users

User: Brady
->Flash cache emptied: 0 bytes

User: Christi
->Flash cache emptied: 0 bytes

User: Chuck
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Gabrielle
->Flash cache emptied: 0 bytes

User: Hines
->Flash cache emptied: 0 bytes

User: Public

User: TEMP

Total Flash Files Cleaned = 0.00 mb

Error: Unable to interpret <[Reboot]Then click the Run Fix button at the top > in the current context!

OTL by OldTimer - Version 3.2.10.0 log created on 08232010_212033

Files\Folders moved on Reboot...
C:\Users\Chuck\AppData\Local\Temp\~DF8B4C.tmp moved successfully.
File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9E55.tmp not found!
File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9E75.tmp not found!
File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9EDE.tmp not found!
File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9EFD.tmp not found!
File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9F6B.tmp not found!
File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9F8C.tmp not found!
C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WGH2FNTH\df949936-2850-4e26-af65-c14d91c5c48b[1].htm moved successfully.
C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WGH2FNTH\topic151761[2].html moved successfully.
C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RV84348U\sh21[1].html moved successfully.
C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6RJJ94NY\ads[5].htm moved successfully.
C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.
File\Folder C:\Windows\temp\WFV86EA.tmp not found!
File\Folder C:\Windows\temp\ZLT060b4.TMP not found!

Registry entries deleted on Reboot...

Ran Security check....


Log is attached...


Ran TFC. Tried to go to Kaspersky web site, keep getting "This tab has been recovered", won't load the site. I tried just going to it through Google, but get message when you go to the "Free Virus Scan" on their site it says its being upgraded and to download the 30 day trial version. One of the other URL's you gave me in previous posts, I had the same problem with, kept getting the "This tab has been recovered" over and over. I was able to get to that site thru Google. I have all Virus scan and antispyware software disabled. Thanks.
 

Attachments

  • checkup.txt
    1.1 KB · Views: 1
  • JavaRa.log
    14.6 KB · Views: 0
I don't understand...

Broni, I want to say thanks again for all your help. I'm sure this is just as frustrating for you. What should we try next? We've done all of this, yet my system still is horribly slow. I mean it takes literally 15 minutes to get into internet explorer once you turn the computer on. Just now, when I launched the internet explorer, it hung, then crashed the first time. Then, I chose to restart the program and my home page is google, and it took like another 5-7 minutes for it to relaunch and go to google. I'm not sure what is causing all this, maybe a browser hijacker. I don't know where to go at this point.
I really do appreciate your help, it just seems like we're at a standstill...
 
Does the issue concern IE only?

I still need you to complete Kaspersky scan.
By now, your computer should be malware free, but I have to make sure.

We'll try to find some remedy, but we have to proceed one step at a time.
 
Couple of additional comments...

I used to run 3-7 programs on my last computer to keep spyware off (Spybot, MalwareBytes, SuperAntiSpyware, SpywareBlaster, Glary Utilities, CCleaner) but found after a while it seemed to be slowing my pc down just as much to run the antispyware software, so it became counterproductive. I decided when we got this new one to go with only a virus scanner. As I said, one of the programs that I used to use was "SuperAntiSpyware". I noticed that you didn't use it, it always seemed to do the best job at removing the stuff, but the thing I found over time is it seemed to be a BIG resource hog and so I eventually took it off...I think I might've actually gotten the recommendations for the above programs from your 8 steps, as I believe it has been updated since I used it last, so maybe those programs have been eliminated...Your thoughts?..
 
Kaspersky site...

IE still won't let me into that site, same error. I tried rebooting, but it doesn't like something about that link or even going to it thru Google...
 
Firewall + AV + 1 antispyware program (Malwarebytes, or Superantispyware) + your good computer habits, that's all you need to be OK.

Do you have another browser?

Try one of these...

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • IMPORTANT! UN-check Remove found threats
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

==============================================================

Please run a BitDefender Online Scan

  • Disable your antivirus program.
  • Click Start Scanner button.
  • Click Start scan button
  • Allow browser plug-in to be installed when prompted.
  • Click I Agree to agree to the EULA.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on View log.
  • Notepad will open with scan results.
  • Save the report to your desktop and post its content in your next reply.
 
virus scans...

Broni:
Ran both the virus scans you mentioned, came up clean. The computer seems somewhat faster, I won't be able to tell for sure until I use it this weekend. I work 2 jobs thru the middle of the week, and don't have a lot of time to get on. If there is anything else to do, let me know and I'll post back this weekend. Thanks!
 
That's all, we can do in malware forum.
All clean :)
Let me know in couple of days, how things are...
 
Update...

Broni,
We started out this forum with a HJT log. However, we ran all the other stuff, never got back to it. I guess since it registered clean with all the other stuff, you felt there is no need to go any further. That's ok. I still don't feel that the computer is running the way it should be, it seems slow still, but I guess if there is nothing else we can do, we can't. I'll try uninstalling all of the spyware tools we used, and just keep one and my virus scanner and see what happens...Thanks again for all your help...
 
Your computer is definitely malware free and this is what we make sure of in this forum.
If you feel, that your computer is still running slow, you may want to create new topic at Windows forum.

I have a little suggestion/test for you.
Try to uninstall ZoneAlarm, turn Windows firewall on and see how it goes.

We still need to run last steps....

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

===================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. Run defrag at your convenience.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
 
Thanks...

Ok, I've done the final preparation steps. It seems to be a bit faster already, it may have been the ZA firewall that was slowing it up a lot. Also, thru all of our scanning did we ever really find anything that could've at least been causing part of the problem...?
 
Status
Not open for further replies.
Back