BleepingComputer.com: Slow computer after virus/rootkit supposedly removed

Hi there! I was working with the Malwarebytes forum a few weeks ago. I could not download Malwarebytes, and my browser was being hijacked. From there, they informed me that I probably had a rootkit. After running some programs and reporting the log files, they figured my computer was clean and the thread was closed. Since it is not just a Malwarebytes problem, I thought I would join your forum and see if you have some additional help for me.

OS - Windows Vista Home premium 32 bit

Symptoms - Computer running slow, almost slower than dial-up. Pages sometimes need to be refreshed a few times before the graphics will load properly.
- File download is enabled on my computer. There is only one user account on this computer, it has admin. privileges. When I download something, it looks as if the file downloads... I select where to save it to, the progress bar runs, and it looks like a normal download. However, when I go to retreive the download, it is not there.

I have run disk defrag, checked disk for errors, I have my antivirus and one other program running from startup programs... I shut off all the others regularly. (I was on dial-up for 10 years, I still practice the tricks for speed)
For tool bars, I have... menu bar, favorites bar, command bar and status bar... so not much for tool bars.
I have 3GB of RAM... that should be plenty for web surfing.
I have switch my Windows color scheme from Areo to vista basic.
I didn't have many desktop icons (10 of them) until I download all these spyware checkers. I will get rid of them after I'm fixed up.
I generally take care of my computer and keep it clean.
It was running at a normal speed until the virus/rootkit started. It has gotten very slow since after i was told the virus/rootkit looked like it was gone. Thats what makes me think that there is still something hiding there.

Security tools used - Running AVG Antivirus 8.5 free
I was able to install spyware checkers from a memory stick, they include,
- Ad Aware.... it found 40 tracking cookies and 1 MRU object
- Super Anti Spyware... it found 38 tracking cookies
- AVG Anti-Rootkit... no rootkits found
- Dr. Web Cure it... probably MULDROP.Trojan action - incurable.deleted
- Malwarebytes... found nothing
- Spybot S&D... no threats found
- HiJackThis... saved log file

I could not get root repeal to run

Here is my dds log...

DDS (Ver_09-10-13.01) - NTFSx86
Run by Mitchell at 22:04:36.87 on 22/10/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3070.1915 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\hp\kbd\kbd.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mitchell\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.theweathernetwork.com/weather/CASK0176
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Watch for Browser Events: {42a7ce31-cee7-4cce-a060-a44a7e52e062} - c:\progra~1\keyboa~1\kie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\users\mitchell\appdata\roaming\micros~1\windows\startm~1\programs\startup\keyboa~1.lnk - c:\program files\keyboard express 3\keyexp.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-6 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-28 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-6 297752]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-19 1153368]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-3 1426304]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-6 908056]
S3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\system32\drivers\AGUx86.sys [2009-9-20 892416]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-10-19 12:36 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-10-19 12:36 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-19 12:36 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-10-19 06:11 <DIR> --d----- c:\users\mitchell\DoctorWeb
2009-10-19 00:26 3,968 a------- c:\windows\system32\drivers\AvgArCln.sys
2009-10-18 22:25 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-10-18 22:25 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-10-18 22:24 <DIR> --d----- c:\users\mitchell\appdata\roaming\SUPERAntiSpyware.com
2009-10-18 22:24 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-18 20:19 <DIR> --d----- c:\programdata\Lavasoft
2009-10-18 20:19 <DIR> --d----- c:\program files\Lavasoft
2009-10-17 14:11 218,624 a------- c:\windows\system32\msv1_0.dll
2009-10-17 14:11 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-10-17 14:11 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2009-10-17 14:10 60,928 a------- c:\windows\system32\msasn1.dll
2009-10-17 14:07 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-10-17 14:07 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-11 14:25 4,984 a------- c:\windows\system32\drivers\nvphy.bin
2009-10-11 14:10 <DIR> --d----- c:\windows\system32\eu-ES
2009-10-11 14:10 <DIR> --d----- c:\windows\system32\ca-ES
2009-10-11 14:10 <DIR> --d----- c:\windows\system32\vi-VN
2009-10-11 13:44 <DIR> --d----- c:\windows\pss
2009-10-07 07:23 <DIR> --d----- c:\program files\Microsoft
2009-10-07 06:18 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-10-06 06:42 2,421,760 a------- c:\windows\system32\wucltux.dll
2009-10-06 06:41 87,552 a------- c:\windows\system32\wudriver.dll
2009-10-06 06:41 171,608 a------- c:\windows\system32\wuwebv.dll
2009-10-06 06:41 33,792 a------- c:\windows\system32\wuapp.exe
2009-10-04 22:45 0 a------- C:\settings.dat
2009-10-04 22:44 472,064 a------- C:\RootRepeal.exe
2009-10-04 12:50 2 a--shrot c:\windows\winstart.bat
2009-10-04 12:49 <DIR> --d----- c:\program files\UnHackMe
2009-10-04 12:36 396,288 a------- c:\program files\HijackThis.exe
2009-10-02 19:35 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-10-02 19:28 11,776 -------- c:\windows\system32\cngaudit.dll
2009-10-02 15:50 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-01 22:45 229,888 a------- c:\windows\PEV.exe
2009-10-01 22:45 161,792 a------- c:\windows\SWREG.exe
2009-10-01 22:45 98,816 a------- c:\windows\sed.exe
2009-09-30 08:58 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 08:57 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-27 19:43 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-09-27 19:43 499,712 a------- c:\windows\system32\kerberos.dll
2009-09-27 19:43 270,848 a------- c:\windows\system32\schannel.dll
2009-09-27 19:43 175,104 a------- c:\windows\system32\wdigest.dll
2009-09-27 19:43 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-09-27 19:43 72,704 a------- c:\windows\system32\secur32.dll
2009-09-27 19:43 9,728 a------- c:\windows\system32\lsass.exe
2009-09-27 16:20 <DIR> --d----- c:\program files\mbam
2009-09-27 14:03 1,435,272 a------- c:\windows\system32\Flash.ocx
2009-09-27 14:03 1,066,176 a------- c:\windows\system32\mscomctl.ocx
2009-09-27 14:03 512,688 a------- c:\windows\system32\XceedCry.dll
2009-09-27 14:03 423,784 a------- c:\windows\system32\XceedBkp.dll
2009-09-27 14:03 389,120 a------- c:\windows\system32\ACTSKN43.OCX
2009-09-27 14:03 188,416 a------- c:\windows\system32\actsplash.ocx
2009-09-27 14:03 131,856 a------- c:\windows\system32\MSADODC.ocx
2009-09-27 14:03 118,784 a------- c:\windows\system32\msstdfmt.dll
2009-09-27 14:03 101,888 a------- c:\windows\system32\VB6STKIT.DLL
2009-09-27 14:03 89,088 a------- c:\windows\system32\ProgressBar4.ocx
2009-09-27 14:03 11,012 a------- c:\windows\system32\threadapi.tlb
2009-09-27 13:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-27 12:15 133,664 a------- c:\windows\RTKAUDIOSERVICE.EXE
2009-09-24 16:45 <DIR> --d----- c:\windows\system32\EventProviders
2009-09-24 06:44 950,784 a------- c:\windows\system32\gpedit.dll
2009-09-24 06:43 1,152,000 a------- c:\windows\system32\themecpl.dll
2009-09-24 06:42 16,896 a------- c:\windows\system32\gpupdate.exe

==================== Find3M ====================

2009-10-21 21:38 143,360 a------- c:\windows\inf\infstrng.dat
2009-10-21 21:38 143,360 a------- c:\windows\inf\infstor.dat
2009-10-21 21:38 51,200 a------- c:\windows\inf\infpub.dat
2009-10-18 19:11 6,970 a------- c:\program files\hijackthis.log
2009-10-11 14:10 665,600 a------- c:\windows\inf\drvindex.dat
2009-09-15 13:26 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-11 20:50 6,730 a------- c:\users\mitchell\appdata\roaming\wklnhst.dat
2009-08-28 20:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 20:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 20:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 20:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 18:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 18:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-26 23:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 23:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-26 23:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 21:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-08-21 05:05 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-14 09:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 07:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 07:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 07:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 07:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 07:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 07:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 07:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 07:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-04 09:17 1,265,696 a------- c:\windows\system32\RtkPgExt.dll
2009-08-04 09:17 52,256 a------- c:\windows\system32\RtkCoInst.dll
2009-08-04 09:17 2,898,464 a------- c:\windows\system32\RtkAPO.dll
2009-08-04 09:17 326,176 a------- c:\windows\system32\RtkApoApi.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2008-12-05 17:17 33,609,323 a------- c:\program files\paint-shop-pro-7.00ev.exe
2008-11-09 15:55 923,547 a------- c:\program files\7z460.exe
2008-10-02 06:20 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:04:53.50 ===============

thanks for your help

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Hi there! My computer is still running quite slow. Alot of the time, web page don' t load proper. Some of the graphics will just show the placeholder. Also, sometimes the javascript frames or tables don't load proper.
I have run many anti-spyware programs and have not found much in the reports.
I have used 2 registry cleaners in hopes that it would clean up the mess from the rootkit i had and speed things up.
I have tried some internet suggestions to try to speed IE8 up.
I downloaded Google Chrome to see if that would run faster and it didn't... I think it actually moved slower.
I have updated my drivers.
It seems the slowness came right after I got the rootkit infection fixed. I also downloaded Vista SP2 and a few other updates after the rootkit.
I'm running at about a quarter of the speed i used to before I got the rootkit.

Here is my DDS log

DDS (Ver_09-10-26.01) - NTFSx86
Run by Mitchell at 19:05:25.90 on 31/10/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3070.2257 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\hp\kbd\kbd.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mitchell\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.theweathernetwork.com/weather/CASK0176
uSearch Bar = Preserve
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Watch for Browser Events: {42a7ce31-cee7-4cce-a060-a44a7e52e062} - c:\progra~1\keyboa~1\kie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\mitchell\appdata\roaming\micros~1\windows\startm~1\programs\startup\keyboa~1.lnk - c:\program files\keyboard express 3\keyexp.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-6 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-28 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-6 297752]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-6 908056]
S3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\system32\drivers\AGUx86.sys [2009-9-20 892416]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-10-27 30136]

=============== Created Last 30 ================

2009-10-28 18:22:38 0 d-----w- c:\users\mitchell\appdata\roaming\IObit
2009-10-28 18:22:37 0 d-----w- c:\program files\IObit
2009-10-28 08:50:25 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 08:50:24 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 12:46:08 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2009-10-27 12:02:06 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2009-10-19 18:36:01 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-19 12:11:33 0 d-----w- c:\users\mitchell\DoctorWeb
2009-10-19 04:25:40 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-19 04:24:34 0 d-----w- c:\users\mitchell\appdata\roaming\SUPERAntiSpyware.com
2009-10-19 02:19:18 0 d-----w- c:\programdata\Lavasoft
2009-10-17 20:11:14 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-17 20:11:10 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-17 20:11:10 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-17 20:10:23 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-17 20:07:53 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-17 20:07:52 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-11 20:10:26 0 d-----w- c:\windows\system32\eu-ES
2009-10-11 20:10:26 0 d-----w- c:\windows\system32\ca-ES
2009-10-11 20:10:24 0 d-----w- c:\windows\system32\vi-VN
2009-10-11 19:44:55 0 d-----w- c:\windows\pss
2009-10-07 13:23:33 0 d-----w- c:\program files\Microsoft
2009-10-07 12:18:06 0 d-----w- c:\programdata\Office Genuine Advantage
2009-10-06 12:42:01 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-06 12:41:50 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-06 12:41:46 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-06 12:41:46 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-05 04:45:15 0 ----a-w- C:\settings.dat
2009-10-04 18:50:17 2 --shatr- c:\windows\winstart.bat
2009-10-04 18:36:06 396288 ----a-w- c:\program files\HijackThis.exe
2009-10-03 01:35:40 0 d-sh--w- C:\$RECYCLE.BIN
2009-10-03 01:28:30 11776 ------w- c:\windows\system32\cngaudit.dll
2009-10-02 21:50:51 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-02 04:45:24 98816 ----a-w- c:\windows\sed.exe
2009-10-02 04:45:24 229888 ----a-w- c:\windows\PEV.exe
2009-10-02 04:45:24 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2009-10-27 12:02:05 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-27 12:02:05 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-27 12:02:05 143360 ----a-w- c:\windows\inf\infstor.dat
2009-10-23 13:53:23 7196 ----a-w- c:\program files\hijackthis.log
2009-10-11 20:10:20 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-11 20:06:02 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-12 02:50:25 6730 ----a-w- c:\users\mitchell\appdata\roaming\wklnhst.dat
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-21 11:05:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-04 15:17:32 1265696 ----a-w- c:\windows\system32\RtkPgExt.dll
2009-08-04 15:17:26 52256 ----a-w- c:\windows\system32\RtkCoInst.dll
2009-08-04 15:17:22 133664 ----a-w- c:\windows\RTKAUDIOSERVICE.EXE
2009-08-04 15:17:16 326176 ----a-w- c:\windows\system32\RtkApoApi.dll
2009-08-04 15:17:16 2898464 ----a-w- c:\windows\system32\RtkAPO.dll
2009-08-03 21:07:42 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 21:07:42 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 21:07:42 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2008-12-05 23:17:28 33609323 ----a-w- c:\program files\paint-shop-pro-7.00ev.exe
2008-11-09 21:55:09 923547 ----a-w- c:\program files\7z460.exe
2008-10-02 12:20:11 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-01 21:42:23 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-01 21:42:23 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-01 21:42:23 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-01 21:42:23 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-08-06 14:48:01 22 --sha-w- c:\windows\sminst\HPCD.sys
2008-02-14 17:29:07 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:06:06.36 ===============


Thanks for taking the time to help me out.

Sally

Hello, Mustang_Sally and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  
• Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.

Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.







Step 2

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  
• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please post back with:

• Malwarebytes-Logfile
  
• Both RSIT-Logfiles

Here is the Mbam log, and I've attached the RSIT logs. Thanks for your help!

Malwarebytes' Anti-Malware 1.41
Database version: 3077
Windows 6.0.6002 Service Pack 2

01/11/2009 9:35:17 AM
mbam-log-2009-11-01 (09-35-17).txt

Scan type: Quick Scan
Objects scanned: 87132
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi,

Please don't attach logfiles, just post it here in your thread . How is your system running?



Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

So far, no change in how slow the computer is running or web pages not loading proper.

Here is my gmer log...

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-02 06:54:21
Windows 6.0.6002 Service Pack 2
Running: 0217s2zf.exe; Driver: C:\Users\Mitchell\AppData\Local\Temp\fxlyqkog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Hi,


Step 1

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.







Step 2

Download and Run StartupLite

This program will identify startup entries that are unnecessary to be started at bootup. This will help free some memory.

• Download StartupLite.exe by MalwareBytes to your desktop.
  
• Double click on StartUpLite.exe to run it. If you are using Windows Vista, right click the icon and select Run As Administrator.
  
• A list of unecessary startup entries will be compiled.
  
• Take a read at the description of each and for most of them you probably won't need it please make sure there is a checkmark next to Disable.
  
• Leave all the items as Disabled and click Continue.
  
• Restart your computer once it's done.

Step 3

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Check
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Hi there, I'm running Windows Vista. Do you still want me to to download ATF Cleaner?

Hi,

Sorry, my fault. Please use this:


Please download TFC by Old Timer and save it to your desktop.
alternate download link

• Save any unsaved work. TFC will close ALL open programs including your browser!
  
• Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  
• Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  
• Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

Hi again,

I ran TFC & Startup Lite. I also did the ESET scan. Here is the results from ESET....

Scanned Files: 163069
Infected Files: 0
Cleaned Files: 0
Total Scan Time: 1:15:11
Scan Status: Finished

It did not give me the "list of found threats" or "Export to text file" options. I'll assume thats bcause it did not find any threats.

My computer is still acting the same as previously posted. I would guess the computer is clean, however something has caused it to slow down drastically. I'm to the point of wiping it clean unless you have any other suggestions.

Thanks so much for your time and your help

Hi,

Reformat is the fastest way to get back to normal speed. After some time of using a system it will slow down, and only a clean reformat will really help.

We can try some other things, but I don't know if it works.

Just let me know what you decide .

This slow down came right after the rootkit infection I had . It wasn't really slow while I had the infection, but right after it, I noticed the slow loading pages and some javascript frames and not loading proper, as well as some graphics not loading.

If you are willing to keep going, I'm willing to try a few more things.

Thanks for your time.

Hi,

No problem, we can try a few more things .

Please explain me something:

Is the system slow at bootup or generally? Do you have a Vista-DVD?

The system seems to be slow only when I'm on the web. (IE 8) My programs start and load normal, and boot-up is normal. I wonder if it has anything to do with Vista SP2. I was not able to do Windows update for SP2 until I got rid of the rootkit. I also did a few more Windows updates at that time and since then, the computer has been slow and web pages don't always load properly.

I have an HP computer and it did not come with a Windows disk. I did do a back-up of the whole computer but I now question if those disks would have a virus or rootkit on them. I could try doing a back-up of just the D drive (factory Image).