Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Powerful Computer, Slow Performance


  • Please log in to reply
16 replies to this topic

#1 Il Sunstar lI

Il Sunstar lI

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 07 August 2009 - 06:24 AM

Hello!

My name is Brad, and I am new to BleepingComputer.com. After coming up on a system , riddled with problems, and reviewing several "Help me pls!" sites, Bleeping , by far, looks to be the best bet a fella can have.

I have read many of the forums on , what todo and where to start before posting, and whatnot.

And, after having some success with various removals and scans, there continue to be a few problems, that are beyond my CPU inclined knowledge can handle, I need a real pro here! ><

I am unsure how this post / reply will go, and I am hoping I am getting off to the right start.

The problems I am having after reading thru the "What todo first" section .. are as follows..

(Dell Dimension 9150, running Windows XP, Pentium D 3.00 GHz, 2GB Ram)

1. This system has a main volume drive labelled as I:\, and I cannot figure how to change it.

2. There are many drives on this computer for removable USB drives... (displays more than what looks normal.. there are .. 6 drives, and I have disabled all but the main drive, so that the Virus scanners and whatnot didnt glitch/bug out)

3. After running AVG, Spybot, RegCure, I went to run Malwarebytes anti malware, and this scan took over 33 hours, and bugged out at the end. (Prog. became non-responding, had to end thru task manager.)

4. Many many programs attempting to access the internet, some where even remote IPs attempting to establish a connection, these are all now blocked by AVGs wicked awesome blocking feature.

5. The computer runs painfully slow, for a machine of this calibur..

6. I have downloaded and am ready to post / send a Hijack this report of the PC, once the right person contacts me , and throws me a lifeline, basically .. I need a pro to tell me what IM doing wrong... or not doing right.

7. There are soo many processes on this computer, 40 or so, and 20 of them have been permantly blocked by AVG, or Regcure, things that I know arent rqd for the normal operation of the PC, and I have managed to make the thing go about 25% faster, by shuttin down the non-essentials, and what not, there just remains a few recurring processes that I am unsure about.


I am attempting to help a senior here with her PC, and I have only gotten so far with my, good, but limited knowledge, I am hoping that the ppl at Bleeping can help me to see what I cannot!!!


Thank you for your time!!
Sunstar

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:31 PM

Posted 07 August 2009 - 11:25 AM

Hello this can be many things.. First run a short version scan and get a log.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Look thru this topic also, Slow Computer/browser? Check Here First; It May Not Be Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Il Sunstar lI

Il Sunstar lI
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 09 August 2009 - 09:22 AM

Dear boopme,

I want to thank you for your Expertise and your Time, it is appreciated more than you know!!

Have complete the following steps:

Updated MBAM and ran it in Safe Mode.

Here is the log. (See bottom of log for further Problems/Questions..)

Malwarebytes' Anti-Malware 1.40
Database version: 2583
Windows 5.1.2600 Service Pack 3 (Safe Mode)

09/08/2009 7:50:36 AM
mbam-log-2009-08-09 (07-50-36).txt

Scan type: Quick Scan
Objects scanned: 135611
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
I:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
I:\autorun.inf (SuspectAutorun.Rootdrive.H) -> Quarantined and deleted successfully.
I:\WINDOWS\kernel32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
I:\services.dll (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
-----------------------------------------------------------------------------------------------------------------------------

Thanks to your sound advice.. I was able to get MBAM to finally run scan and clean.. when I ran this in normal mode, the scan took 32 hours, found only 1 problem, and the computer got hung when I had clicked on Remove Selected.

Since having problems with this PC.. I have done the following , from the start...

1. Disabled some non-essential services, and start ups that I was comfortable stopping and had some knowledge of the Programs/Services in question, and have not restored them since. Trying to keep it simple and free up CPU speed so that the whole cleaning of this PC isnt painful.

2. Disabled the Shaw Home Security Suite ( I have no faith in the ISP's Secuirty Suite.. give me AVG or give me death!!)

3. Installed RegCure, updated, scanned, cleaned.

3. Installed AVG AntiVirus, updated, scanned, cleaned. (Found a couple of problems.. fixed.)

4. Installed Spybot S&D, updated, scanned, cleaned.

5. Installed MBAM, updated, scanned, ran into errors, consulted with BleepingComputer.com

6. After your sound advice, updated MBAM, rebooted into safemode, scanned, cleaned 6 nasty lookin' buggers.

7. Now have a problem with this.. When I am watching the scanners scan files, they often have directories in the c:\documents and settings
with very long, crazy directory names, and I mean LOTS of them!!! eg: c:\documentsandsettings\dellsupport\56a4a4ad-6df7-49ec-b41d-e9bb15367dc4.29 ... and in other directories, there are Files that are similiar with these crazy letters/numbers with an HTML page in the directory.. and when I double click the HTML file (which are labled: Definitions) It says the Active X control is being blocked. (Good thing?)

I just wanted to know what I could do about all those many many folders of long letter/number combinations, what they were and how to rid them... (Are they backup files, malicious files, old installs, do they take up space?)

I was hoping to get rid of all the unnecessary junk files from the computer before a Defragmentation.


Your advice is much appreciated!!


Regards,

Sunstar.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:31 PM

Posted 09 August 2009 - 10:17 AM

Hello and you're welcome. We will do these next. Then tell me what issues are left.
Those folders may be malware and may go away.. let's see.


Download and Run FlashDisinfector

You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.

Edited by boopme, 09 August 2009 - 10:18 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Il Sunstar lI

Il Sunstar lI
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 09 August 2009 - 06:47 PM

Before I continue with this step, I have a few questions...

1. Part of the steps I had taken to disable services and programs that I mentioned before I started on your advice, was I had disabled the suspicous drives in question in Control Panel > System > Device Manager, and these are the following Drives I have on the list...

Disk Drives
|
L--> ARRAY (Enabled)
L--> ST3320620AS (Enabled)
L--> TEAC USB HS-CD Card USB Device (Disabled)
L--> TEAC USB HS-MS Card USB Device (Disabled)
L--> TEAC USB HS-SD Card USB Device (Disabled)
L--> TEAC USB HS-xD/SM USB Device (Disabled)


Is this setup fine / would this conflict with the next step you are suggesting?



On the front of this computer , physically.. (Dell Dimension 9150 Desktop) The layout of the front USB / Card ports (which I am not so familiar with are as follows....)



[----------------- DVD/CD DRIVE-----------------]

[----------------- DVD/CD DRIVE-----------------]

[ClosedBayFor 3 1/2"]

(Various flashcard/ USB drives ??? )


[--SM xD--] [--SD/Mini MMC/RS--]

[--CF/MD--] [--MS/Pro/Duo--]


This tells me that the devices should be there, are these the drives that are infected, in question??


Please Advise!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:31 PM

Posted 09 August 2009 - 09:56 PM

Hello, yes this will be ok to proceed with.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Il Sunstar lI

Il Sunstar lI
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 10 August 2009 - 11:34 AM

boopme,

I am getting error when trying to download this file... my computer says:


Error Downloading FlashDisinfector [1].exe: Access Denied. Make sure the disk is not write: full copy protected or the disk is in use. its like i have a copy on my desktop already, but I dont see it!!)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:31 PM

Posted 10 August 2009 - 12:18 PM

Ok while I look into that ,can you run the other two?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Il Sunstar lI

Il Sunstar lI
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 10 August 2009 - 04:47 PM

Will do, boopme.

I have one more question today about this system

Instead of the traditional Windows Explorer (file explorer via My Computer) I get _-Windows Search program show up. And If I want to use the old, traditional Windows Explore to browse thru my files, I have to right click folder > Explore > Then it opens up the traditional version of Windows Explorer. This _-Windows Search program that opens when I double click a folder to Explorer, doesnt display any of the files like it should, its very buggy, and when I attempt to close the _-Windows Search program, the window itslef hangs and I get error message "Cannot close this Window, it is busy." I would like to make it so that when I double click folders in My Computer or on Desktop, that it uses the traditional, old style Windows Explorer for browsing files.

Suggest?

Am now continuing with the other two, from your last Post.

Edited by Il Sunstar lI, 10 August 2009 - 04:49 PM.


#10 Il Sunstar lI

Il Sunstar lI
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 10 August 2009 - 07:12 PM

boopme, here is results of SUPERAntiSpyware cleaning...


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/10/2009 at 05:41 PM

Application Version : 4.27.1002

Core Rules Database Version : 4047
Trace Rules Database Version: 1987

Scan type : Complete Scan
Total Scan Time : 01:10:28

Memory items scanned : 233
Memory threats detected : 0
Registry items scanned : 5865
Registry threats detected : 0
File items scanned : 120460
File threats detected : 8

Trojan.Agent/Gen-ImageDocFake
I:\DOCUMENTS AND SETTINGS\KATHLEEN\MY DOCUMENTS\DOWNLOADS\CANNIBAL CORPSE - DISCOGRAPHY[FLAC]\1990 - EATEN BACK TO LIFE\SCANS\BOOK_01-12.JPG
I:\DOCUMENTS AND SETTINGS\KATHLEEN\MY DOCUMENTS\DOWNLOADS\CANNIBAL CORPSE - DISCOGRAPHY[FLAC]\1994 - THE BLEEDING\COVER ART\BACK.JPG

Adware.Tracking Cookie
I:\Documents and Settings\kirk\Cookies\kirk@adserver.adtechus[1].txt
I:\Documents and Settings\kirk\Cookies\kirk@content.yieldmanager.edgesuite[1].txt
I:\Documents and Settings\kirk\Cookies\kirk@content.yieldmanager[2].txt
I:\Documents and Settings\kirk\Cookies\kirk@content.yieldmanager[3].txt
I:\Documents and Settings\kirk\Cookies\kirk@iacas.adbureau[1].txt
I:\Documents and Settings\kirk\Cookies\kirk@imrworldwide[2].txt


Computer runs much better, but, still .. after AVG loads in Minitray, still takes a few minutes to allow me to access things on the desktop, maybe this is normal , but for a computer w/ 3.00GHz and 2MB ram, I think maybe it should be running a bit faster.

Only issue I have now is this _-Windows Search explorer comes up when I double click on folders to browse files, I am still using Right Click > Explore to see Folder contents.


Also... I may have done things in an improper order..

I went to Safemode after updating SUPER spyware, ran scan, deleted/quaranteed files...
Reboot,
Normal mode,
THEN I used ATF Cleaner. Maybe no big deal that SUPER had scanned all the temp files etc, just took a lot longer ... approx 1hr 10 mins for 125,000 files. But this ATF cleaner removed 205.56MB of temporary files.

- Any suggestions about this _-Windows Search program that is opening when I double click folders?


One more question I have about processes. There are soooo many processes running on this computer. How do I make a log of these process so that you can examine them and help to disable all unneeded ones?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:31 PM

Posted 10 August 2009 - 08:31 PM

Hi you may have some corrupted files from the mlware.
First though
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
~~~~~~~~~~~~~~~~~~~~`

No biggie on the ATF /SAS.
~~~~~~~~~~~~~~~~~~~~~~

You may want to run.... sfc /scannow

You will need your XP CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.
~~~~~~~~~~~~~~~~~~~~~

I feel re installing AVG would help.
AVG Remover Utility (avgremover.exe)

This tool absolutely cleans all traces of AVG, available in two versions: the classic 32-bit and 64-bit version (for x64 version of Windows Vista and 7).
32-bit avgremover.exe
64-bit avgremoverx64.exe
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Il Sunstar lI

Il Sunstar lI
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 12 August 2009 - 08:46 PM

Dear boopme

Before running these new scans you have asked of me, I have noticed something that seems malicious thru AVG Antivirus.

While exploring the AVG > Tools > Fire Wall Settings tab, a few networks showed up marked as UNSAFE appeared.. I am wondering, is this system connecting to malicious networks when I reboot??

Here are the results of the AVG > Tools > Fire Wall Settings > Standalone Computer > Defined Adaptors > tab that I see..


Adapters --> Interface Safety ---> IP Address Range
---------------------------------------------------------------------------------------------------------------------------------------------

Adapters Connected to Safe Networks --> SAFE --> (NoIP Adress)

Intel PRO/1000 PL Network Connection Packet Scheduler MiniPort---> UNSAFE --> 96.53.129.29/22,fe80::0213:72ff:fe13:7a25/64

Teredo Tunneling Pseudo-Interface ---> UNSAFE -->(NoIPAdress)

6to4 Pseudo Interface --> UNSAFE --> 2002:6035:811d:6035:811d/64

Automatic Tunneling Pseudo Interface --> UNSAFE --> fe80::5efe:6035:811d/64




I think that I have disabled these methods of connection via AVG FireWall blocking ( I usually block everything..) but this looks wrong and like it shouldnt be there, my question is .. how do I make my computer never want to look for these servers/internet connections ever again? I am not sure about this type of thing... I dont think any of this is good !! ><

Also, I have NOT run any of the scans that you asked from August 10 2009 5:31PM. I have not done any of these yet, but I have this new question for you!!

Please advise!!!


Regards,

Sunstar

Edited by Il Sunstar lI, 12 August 2009 - 08:50 PM.


#13 Il Sunstar lI

Il Sunstar lI
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 12 August 2009 - 08:59 PM

Here are my Spyboy S&D logs that are handy.


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-08-02 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi
2009-07-30 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-05-19 Includes\Dialer.sbi
2009-08-04 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2009-08-04 Includes\HijackersC.sbi
2009-06-23 Includes\Keyloggers.sbi
2009-07-30 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-07-14 Includes\Malware.sbi
2009-08-05 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-08-04 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-07-30 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-04-07 Includes\Spyware.sbi
2009-08-04 Includes\SpywareC.sbi
2009-06-08 Includes\Tracks.uti
2009-07-22 Includes\Trojans.sbi
2009-08-05 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Adobe AIR 1.5.1.8210 (Adobe AIR)
install location: i:\Program Files\Common Files\Adobe AIR\
uninstall cmd: i:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
publisher: Adobe Systems Inc.

Adobe Flash Player 10 ActiveX 10.0.22.87 (Adobe Flash Player ActiveX)
uninstall cmd: I:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
publisher: Adobe Systems Incorporated
help link: http://www.adobe.com/go/flashplayer_support/

Adobe Flash Player 10 Plugin 10.0.22.87 (Adobe Flash Player Plugin)
uninstall cmd: I:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
publisher: Adobe Systems Incorporated

Adobe Shockwave Player 11.5 11.5 (Adobe Shockwave Player)
version (major): 11
version (minor): 1
install location: I:\WINDOWS\system32\Adobe
uninstall cmd: I:\WINDOWS\system32\Adobe\uninstaller.exe
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/support/shockwave

(AVG7Uninstall)

AVG 8.5 (AVG8Uninstall)
version (major): 8
version (minor): 5
install location: I:\Program Files\AVG\AVG8
uninstall cmd: I:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
publisher: AVG Technologies

(Branding)

(CADI)
uninstall cmd: RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove

(Creative MediaSource)
uninstall cmd: RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove

(Creative MediaSource Detector)
uninstall cmd: RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove

(Creative MediaSource Go!)
uninstall cmd: RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x9 /remove

(Creative MediaSource MiniDisc Plugin)
uninstall cmd: RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{7AFFF09F-386B-4F7A-B3E0-EC24C13893AA}\setup.exe" -l0x9 /remove

(Creative MediaSource Player Skin Pack)
uninstall cmd: RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove

(Creative Music Store Plugin)
uninstall cmd: RunDll32 I:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "I:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove

(dlatray.exe)
uninstall cmd: I:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

(expinst)

(F-Secure Anti-Spyware)
uninstall cmd: "I:\Program Files\Shaw Secure\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware"

(F-Secure Anti-Spyware Scanner)
uninstall cmd: "I:\Program Files\Shaw Secure\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware Scanner"

(F-Secure Anti-Virus)
uninstall cmd: "I:\Program Files\Shaw Secure\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus"









And the StartUp log for Spybot S&D







--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-08-02 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi
2009-07-30 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-05-19 Includes\Dialer.sbi
2009-08-04 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2009-08-04 Includes\HijackersC.sbi
2009-06-23 Includes\Keyloggers.sbi
2009-07-30 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-07-14 Includes\Malware.sbi
2009-08-05 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-08-04 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-07-30 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-04-07 Includes\Spyware.sbi
2009-08-04 Includes\SpywareC.sbi
2009-06-08 Includes\Tracks.uti
2009-07-22 Includes\Trojans.sbi
2009-08-05 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, AVG8_TRAY
command: I:\PROGRA~1\AVG\AVG8\avgtray.exe
file: I:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 2000152
MD5: 384D5440B780BD921399A5697E6E1623

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
file: I:\WINDOWS\system32\NvCpl.dll
size: 8491008
MD5: 1A2933669C63064AE04C577ED639DA2C

Located: HK_LM:Run, Windows Defender
command: "I:\Program Files\Windows Defender\MSASCui.exe" -hide
file: I:\Program Files\Windows Defender\MSASCui.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: I:\WINDOWS\system32\CTFMON.EXE
file: I:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-19...
command: I:\WINDOWS\system32\CTFMON.EXE
file: I:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-20...
command: I:\WINDOWS\system32\CTFMON.EXE
file: I:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, Skype
where: S-1-5-21-776561741-1965331169-725345543-1004...
command: "I:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
file: I:\Program Files\Skype\Phone\Skype.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-776561741-1965331169-725345543-1004...
command: I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-21-776561741-1965331169-725345543-1005...
command: I:\WINDOWS\system32\ctfmon.exe
file: I:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, MSMSGS
where: S-1-5-21-776561741-1965331169-725345543-1005...
command: "I:\Program Files\Messenger\msmsgs.exe" /background
file: I:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-21-776561741-1965331169-725345543-1006...
command: I:\WINDOWS\system32\ctfmon.exe
file: I:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, msnmsgr (DISABLED)
where: S-1-5-21-776561741-1965331169-725345543-1006...
command: "I:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: I:\Program Files\MSN Messenger\msnmsgr.exe
size: 5674352
MD5: C4281AD865739E71FD1E4DAC19A68D60

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-21-776561741-1965331169-725345543-1007...
command: I:\WINDOWS\system32\ctfmon.exe
file: I:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, swg
where: S-1-5-21-776561741-1965331169-725345543-1007...
command: I:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
file: I:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Creative MediaSource Go
where: S-1-5-21-776561741-1965331169-725345543-1008...
command: "I:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
file: I:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
size: 135168
MD5: 5103ECB738D8AAAD81FE91532B2387C7

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-21-776561741-1965331169-725345543-1008...
command: I:\WINDOWS\system32\ctfmon.exe
file: I:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, msnmsgr (DISABLED)
where: S-1-5-21-776561741-1965331169-725345543-1008...
command: "I:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: I:\Program Files\MSN Messenger\msnmsgr.exe
size: 5674352
MD5: C4281AD865739E71FD1E4DAC19A68D60

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-21-776561741-1965331169-725345543-1010...
command: I:\WINDOWS\system32\ctfmon.exe
file: I:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: I:\WINDOWS\system32\CTFMON.EXE
file: I:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: Startup (disabled), DVD@ccess (DISABLED)
command: I:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
file: I:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
size: 888832
MD5: D5EB2A72012002076265A0ACFDB53DE1

Located: Startup (disabled), HP Digital Imaging Monitor (DISABLED)
command: I:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
file: I:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 237568
MD5: DA6B945E561B1D1DA67663BB45B4B868

Located: Startup (disabled), Wireless USB 2.0 WLAN Card Utility (DISABLED)
command: I:\Program Files\Dell Wireless\PRISMCFG.exe /START
file: I:\Program Files\Dell Wireless\PRISMCFG.exe
size: 921707
MD5: B8C8AFB18E48B1CC9ADF34703AC2BAF5

Located: WinLogon, !SASWinLogon
command: I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: I:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 356352
MD5: 972EDEDE23AC8D59AAC0C09799C6F18A

Located: WinLogon, avgrsstarter
command: avgrsstx.dll
file: avgrsstx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, PRISMAPI.DLL
command: PRISMAPI.DLL
file: PRISMAPI.DLL
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!








I hope that these log files can help boopme!!!



Regards, Sunstar

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:31 PM

Posted 12 August 2009 - 09:30 PM

Hi, first is this a school network compy?

Adapters Connected to Safe Networks --> SAFE --> (NoIP Adress)

Intel PRO/1000 PL Network Connection Packet Scheduler MiniPort---> UNSAFE --> 96.53.129.29/22,fe80::0213:72ff:fe13:7a25/64

Teredo Tunneling Pseudo-Interface ---> UNSAFE -->(NoIPAdress)

6to4 Pseudo Interface --> UNSAFE --> 2002:6035:811d:6035:811d/64

Automatic Tunneling Pseudo Interface --> UNSAFE --> fe80::5efe:6035:811d/64

This should be how your school has their network set up.

You have fixed the AVG ? Do you also have F Secure as an AV?


I want to run MBAM again.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Il Sunstar lI

Il Sunstar lI
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 13 August 2009 - 01:55 AM

Dear boopme.

No, this is a home used, personal compter, not on a netword at school or anything, so thats why all the various hook ups to all these weird looking networks have me questioning them.

Now that you have given me advise about Teatimer, I wll turn it off, and run MBAM again.

No, I am using AVG antivirus, and I have uninstalled F Secure from the Computer ,I thought maybe F Secure was not a good program, and since AVG is easy to navigate, and I like the pop up on firewall when things try and access the interet, also, I have used AVG before, and I like it, and I have never used F Secure... So I uninstall F Secure, and using AVG.. then I contacted you.

The MBAM scan is taking about 20-30 hours each time to complete.. I will turn off teatimer now, and re run scan. Will post.

Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users