Inactive My PC is too slow

[Angelina]

Hi
my PC is not working properly.its too slow.my kaspersky anti-virus says no threats detected, but im not convinced.pls help me...
I followed the instructions and below are the logs :
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.05

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
AB :: A [administrator]

6/12/2012 9:01:31 PM
mbam-log-2012-06-12 (21-54-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181275
Time elapsed: 40 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\AB\My Documents\Downloads\SoftonicDownloader_for_vlc-media-player.exe (PUP.BundleOffer.Downloader.S) -> No action taken.

(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-09 23:38:39
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SV4002H rev.QP100-12
Running: 4kfgijq0.exe; Driver: C:\DOCUME~1\AB\LOCALS~1\Temp\pxtdrpow.sys
---- System - GMER 1.0.15 ----

Edit: Duplicate GMER log has been deleted.

---- User IAT/EAT - GMER 1.0.15 ----
couldnt fit everything in 1 thread so contd....

 

[Angelina]

Hi
my PC is not working properly.its too slow.my kaspersky anti-virus says no threats detected, but im not convinced.pls help me...
I followed the instructions and below are the logs :
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Edit: Duplicate Malwarebytes log has been deleted. Both logs show No Action Taken
(end)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-09 23:38:39
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SV4002H rev.QP100-12
Running: 4kfgijq0.exe; Driver: C:\DOCUME~1\AB\LOCALS~1\Temp\pxtdrpow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF4DA35FA]
Edit: Excess GMER entries have been deleted.

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xF4DA3EFE]

---- User IAT/EAT - GMER 1.0.15 ----

 

[Angelina]

contd gmer logs...
Edit: Excess GMER entries have been deleted.

---- User IAT/EAT - GMER 1.0.15 ----

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by AB at 18:47:08 on 2012-06-12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.98 [GMT 5.5:30]
.
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=101292&mntrId=b452a30d000000000000000244aa1df0
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\BabylonToolbarTlbr.dll
uRun: [Google Update] "c:\documents and settings\ab\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-7-5 475736]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-31 40776]
.
=============== Created Last 30 ================
.
2012-05-31 16:50:1740776----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-31 16:37:19--------d-----w-c:\documents and settings\ab\application data\Malwarebytes
2012-05-31 16:34:09--------d-----w-c:\documents and settings\all users\application data\Malwarebytes
2012-05-31 16:33:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-05-31 16:33:54--------d-----w-c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
============= FINISH: 18:48:42.93 ===============
contd. further...

 

[Angelina]

contd....

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/5/2011 4:03:33 PM
System Uptime: 6/12/2012 6:33:05 PM (0 hours ago)
.
Motherboard: | | i845
Processor: Intel(R) Pentium(R) 4 CPU 1.70GHz | Socket 478 | 1716/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 20 GiB total, 9.964 GiB free.
D: is FIXED (NTFS) - 18 GiB total, 15.91 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_125D&DEV_2838&SUBSYS_2838125D&REV_01\4&172A2BDD&0&10F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_125D&DEV_2838&SUBSYS_2838125D&REV_01\4&172A2BDD&0&10F0
Service:
.
==== System Restore Points ===================
.
RP19: 3/26/2012 5:49:24 PM - System Checkpoint
RP20: 4/25/2012 5:44:42 PM - System Checkpoint
RP21: 5/18/2012 9:49:22 PM - System Checkpoint
RP22: 5/24/2012 6:38:36 PM - System Checkpoint
RP23: 6/9/2012 8:46:48 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Reader X (10.1.0)
Advertising Center
Babylon toolbar on IE
DolbyFiles
Google Chrome
ImagXpress
Kaspersky Anti-Virus 2011
Malwarebytes Anti-Malware version 1.61.0.1400
Menu Templates - Starter Kit
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero Vision Help
NeroExpress
neroxml
VLC media player 1.1.11
WebFldrs XP
Windows Installer 3.1 (KB893803)
.
==== Event Viewer Messages From Past Week ========
.
6/9/2012 9:03:56 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
6/7/2012 12:44:28 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/7/2012 12:13:16 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/6/2012 3:14:38 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
6/6/2012 3:13:28 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/6/2012 3:10:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kaspersky Anti-Virus Service service to connect.
6/6/2012 3:10:32 PM, error: Service Control Manager [7000] - The Kaspersky Anti-Virus Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================
any help would be much appreciated...

 

[Bobbye]

I'm having all of your threads merged into the original thread. Please don't start a new thread to continue- start a new reply on the same thread instead.

 

[Bobbye]

Please read instructions for scans carefully. The reason you had so many posts is because you missed this in GMER:

Warning! Please do not select the "Show all" checkbox during the scan.

I'vr had all of your logs combined in this thread. We will only use this one threa while we are working on this same problem at the same time.

You posted the same Malwarebytes log twice, so I have deleted one of them. However, again you didn't read the directions to:

[*] Be sure that everything is checked, and click Remove Selected.

So all the malware that was found wasn't removed. Please update Malwarebytes and run it again. Take care to check the box to remove all entries found.
=====================================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------

• 
  Download Combofix from HERE or HEREand save to the desktop
  • Double click combofix.exe
    
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    

    The Recovery Console was successfully installed.

  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• Close any open browsers.
• Before you run the Combofix scan, please disable any security software you have running.
  (If you need help with this, please see HERE)
• Click on Yes, to continue scanning for malware
• If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1o not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
==============================================

To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
4. Continue with the directions.
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
========================================
Please leave the following logs in your next reply, on this thread. You may use more than one post for a log if needed, but it must be in this thread:
New log from rescan with Malwarebytes
Combofix
Eset online virus scan.
======================================

My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[Angelina]

The next set of logs you asked for.....
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.14.07

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
AB :: A [administrator]

6/14/2012 8:56:32 PM
mbam-log-2012-06-14 (20-56-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181673
Time elapsed: 39 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
ComboFix 12-06-14.01 - AB 06/14/2012 23:28:05.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.121 [GMT 5.5:30]
Running from: c:\documents and settings\AB\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\AB\My Documents\~WRL2044.tmp
c:\documents and settings\AB\My Documents\~WRL2819.tmp
.
c:\windows\system32\drivers\usbehci.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ABP470N5
.
.
((((((((((((((((((((((((( Files Created from 2012-05-14 to 2012-06-14 )))))))))))))))))))))))))))))))
.
.
2012-06-14 16:39 . 2012-06-14 16:39--------d-----w-c:\program files\ESET
2012-05-31 16:37 . 2012-05-31 16:37--------d-----w-c:\documents and settings\AB\Application Data\Malwarebytes
2012-05-31 16:34 . 2012-05-31 16:34--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-31 16:33 . 2012-04-04 10:2622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-05-31 16:33 . 2012-05-31 16:36--------d-----w-c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-02 365336]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPHLPSVC
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1606980848-1060284298-1003Core.job
- c:\documents and settings\AB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 13:24]
.
2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1606980848-1060284298-1003UA.job
- c:\documents and settings\AB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 13:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=101292&mntrId=b452a30d000000000000000244aa1df0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.94.243.70 59.179.243.70
.
.
------- File Associations -------
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-14 23:47
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-06-14 23:55:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-14 18:25
.
Pre-Run: 10,779,484,160 bytes free
Post-Run: 12,166,492,160 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3BFA125B5B6A2314390973CECAE370A5
eset scan results...
C:\Documents and Settings\AB\Local Settings\Application Data\Babylon\Setup\Setup.exeWin32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dlla variant of Win32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dllWin32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exeprobably a variant of Win32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dllWin32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dllWin32/Toolbar.Babylon application
D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install (1).exea variant of Win32/InstallCore.D application
D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install.exea variant of Win32/InstallCore.D application

 

[Bobbye]

You need to look for any pre-checked processes on download screens. Frequently toolbard and/or browser helper objects having nothing to do with what you're downloading will be checked. You should also use the Custom install feature if offerred instead of 'standard install.' Then you can prevent some of the useless bundled junk from getting into the system.

Please uninstall any entries for the Babylon Toolbar.. It's okay if you need Babylon for translation, but the toolbar is useless and bundled in the program.
Also go to Tools> Manage addons in IE> Look in both sections> addons currently on system/addons previously on system> Delete any addons for the Babylon Toolbar> then click on Apply> OK
=================================================

Please download OTMovit by Old Timerand save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files
  C:\Documents and Settings\AB\Local Settings\Application Data\Babylon\Setup\Setup.exe
  C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll
  C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll
  C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe
  C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
  C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll
  D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install (1).exe\
  D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install.exe
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
--------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  usbehci.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
=================================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
Folder::
DDS::
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\BabylonToolbar.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\BabylonToolbarTlbr.dll
 
 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-
"AntiVirusDisableNotify"=-
"FirewallDisableNotify"=-
"FirewallOverride"=-
"UpdatesDisableNotify"=-
"UacDisableNotify"=-
 
 
Clearjavacache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Questions:

This system shows less than a year old> Microsoft Windows XP Professional
Install Date: 7/5/2011 4:03:33 PM
With 2 small hard drives- one almost full.

How much RAM is there on the system? (Control Panel> System> System properties)

 

[Bobbye]

Do you plan to continue?

 

[Angelina]

oh im sry...was lil caught up in other things... so here are the logs....



All processes killed
========== FILES ==========
C:\Documents and Settings\AB\Local Settings\Application Data\Babylon\Setup\Setup.exe moved successfully.
File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll not found.
File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll not found.
File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe not found.
File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll not found.
File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll not found.
D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install (1).exe moved successfully.
D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: AB
->Temp folder emptied: 495683 bytes
->Temporary Internet Files folder emptied: 754556 bytes
->Google Chrome cache emptied: 46829944 bytes
->Flash cache emptied: 21838 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7372 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 48.00 mb

SystemLook 30.07.11 by jpshortstuff
Log created at 10:53 on 18/06/2012 by AB
Administrator - Elevation successful

========== filefind ==========

Searching for "usbehci.*"
C:\cmdcons\USBEHCI.SY_--a---- 15034 bytes[17:38 03/08/2004][17:38 03/08/2004] 4622A7C6B2789441839796EDDDF180B0

-= EOF =-



ComboFix 12-06-16.02 - AB 06/18/2012 11:26:52.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.18 [GMT 5.5:30]
Running from: c:\documents and settings\AB\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\AB\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\nst39.tmp\PEV.DAT
c:\windows\TEMP\nst39.tmp\System.dll
.
c:\windows\system32\drivers\usbehci.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-18 05:11 . 2012-06-18 05:11--------d-----w-C:\_OTM
2012-06-14 16:39 . 2012-06-14 16:39--------d-----w-c:\program files\ESET
2012-05-31 16:37 . 2012-05-31 16:37--------d-----w-c:\documents and settings\AB\Application Data\Malwarebytes
2012-05-31 16:34 . 2012-05-31 16:34--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-31 16:33 . 2012-04-04 10:2622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-05-31 16:33 . 2012-05-31 16:36--------d-----w-c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-02 365336]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [8/4/2004 3:56 PM 14336]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1606980848-1060284298-1003Core.job
- c:\documents and settings\AB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 13:24]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1606980848-1060284298-1003UA.job
- c:\documents and settings\AB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 13:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=101292&mntrId=b452a30d000000000000000244aa1df0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 203.94.243.70 59.179.243.70
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-18 11:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-06-18 11:52:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-18 06:22
ComboFix2.txt 2012-06-14 18:25
.
Pre-Run: 12,178,358,272 bytes free
Post-Run: 12,173,369,344 bytes free
.
- - End Of File - - F26271A61C408CE5C33547BCA04DBA12

OTM by OldTimer - Version 3.1.19.0 log created on 06182012_104107

Files moved on Reboot...

Registry entries deleted on Reboot...



Right now,the computer has 256MB of RAM...I plan to increase it...how much RAM would I need foe normal,home use?