My dad decided to "Speed up my PC"

johnb35

Administrator
Staff member
Ok, I have some concerns here. Please do the following.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.


In your next reply please post:
  • The ComboFix log
  • An update on how your computer is running

Looks like you have some old versions of java installed, which need to be removed. Lets get an uninstall list.

I also need you to post a log that combofix creates but doesn't show you. Please navigate to C:\Qoobox and in that folder will be a file named add-remvoe programs.txt Open that file and copy and paste the contents back here.
 

bkribbs

New Member
Ok, I have some concerns here. Please do the following.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.


In your next reply please post:
  • The ComboFix log
  • An update on how your computer is running

Looks like you have some old versions of java installed, which need to be removed. Lets get an uninstall list.

I also need you to post a log that combofix creates but doesn't show you. Please navigate to C:\Qoobox and in that folder will be a file named add-remvoe programs.txt Open that file and copy and paste the contents back here.

It is worth noting this is a PC with monitoring software on it as well. I'll run combo fix and get back to you later once I get back from work. Thanks.
 

johnb35

Administrator
Staff member
You mean like parental controls? Not really. These are some i'm concerned about.

C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At1.job

These are usually malware. Can you go into the each of those tasks and list the info of them for me?
 

bkribbs

New Member
You mean like parental controls? Not really. These are some i'm concerned about.

C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At1.job

These are usually malware. Can you go into the each of those tasks and list the info of them for me?

Once I get off work, yes. Run combofix as well still right? And how do I get the info? Task manager and right click on them?
 
Last edited:

johnb35

Administrator
Staff member
Yes still run combofix and post both logs. Just navigate to c:\windows\tasks and then you should be able to open each item should be a description of what file or program is scheduled to run.
 

bkribbs

New Member
Yes still run combofix and post both logs. Just navigate to c:\windows\tasks and then you should be able to open each item should be a description of what file or program is scheduled to run.

Well crap, the internet here is slow, so I guess my reply actually didn't get submitted. Both tasks point to the same process, can't remember the location of the top of my head.

When combo fix started to run, it did everything like it should, but hung at the step where it was doing the actual scanning. At that point, an error popped up saying rmbr.3xe had a memory problem and had to close.

From what I found on the internet, it seemed that this could be a root kit maybe? Not sure. I know there are the rkill.exe and all those similar files, but not sure if they would help.

What should I do next? Thanks!
 

johnb35

Administrator
Staff member
Glad you bumped this because I totally forgot about this thread. Sorry.

Please do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:
Folder::

c:\documents and settings\xxxxx\Local Settings\Application Data\SearchProtect
c:\program files\pcreg

File::

c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\pcreg.job


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Then uninstall the following programs.

Adobe Flash Player 11 ActiveX
J2SE Runtime Environment 5.0 Update 19

Then download the latest flash player from here.

http://get.adobe.com/flashplayer/

Then I need you to rerun OTL but this time copy and paste the following into the custom scan/fixes box at the bottom.

Code:
:OTL
DRV - (WDICA) -- File not found
DRV - (smsmdd) -- system32\DRIVERS\smsmdm.sys File not found
DRV - (PnSson) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (Changer) -- File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O15 - HKLM\..Trusted Domains: 0-monitor01-w2k ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: 3m.com ([*.hiscc1] * in Trusted sites)
O15 - HKLM\..Trusted Domains: 3m.com ([*.hiscc3] * in Trusted sites)
O15 - HKLM\..Trusted Domains: 3m.com ([hiscc1] http in Trusted sites)
O15 - HKLM\..Trusted Domains: 3m.com ([hiscc3] * in Trusted sites)
O15 - HKLM\..Trusted Domains: 3MCustomerCare.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: 3MCustomerCare.com ([www] * in Trusted sites)
O15 - HKLM\..Trusted Domains: adobe.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: apple.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: apple.com ([phobos] * in Trusted sites)
O15 - HKLM\..Trusted Domains: appnts264ph ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: awardpresenter.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: cardiolite.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: dell.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: dell.com ([*.premier] * in Trusted sites)
O15 - HKLM\..Trusted Domains: edgate.org ([*.rss] * in Trusted sites)
O15 - HKLM\..Trusted Domains: efileshare.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: efileshare.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: efileshare.com ([www] https in Trusted sites)
O15 - HKLM\..Trusted Domains: emedcon.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: emedcon.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: e-mtsonline.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: ewebhealth.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: exuberawebcasts.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: ibm.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: icanotes.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: ihealthbeat.org ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: impac.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: impac.com ([www] * in Trusted sites)
O15 - HKLM\..Trusted Domains: isweb ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: jhmi.edu ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: k12.nc.us ([*.rss] * in Trusted sites)
O15 - HKLM\..Trusted Domains: live.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: macromedia.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: mckesson.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: medai.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: medkinetics.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: mhrpt02 ([]file in Trusted sites)
O15 - HKLM\..Trusted Domains: microsoft.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: microsoft.com ([dgl] http in Trusted sites)
O15 - HKLM\..Trusted Domains: microsoft.com ([search.officeupdate] http in Trusted sites)
O15 - HKLM\..Trusted Domains: microsoft.com ([www] * in Trusted sites)
O15 - HKLM\..Trusted Domains: mimosa01 ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: misys.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: misysimentor.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: misysimentor.com ([www] * in Trusted sites)
O15 - HKLM\..Trusted Domains: mrnc.org ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: mrnc.org ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: netlearning.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: netlearning.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: net-learning.com ([client1] http in Trusted sites)
O15 - HKLM\..Trusted Domains: netlearning.net ([www] https in Trusted sites)
O15 - HKLM\..Trusted Domains: netlearning.us ([sis] http in Trusted sites)
O15 - HKLM\..Trusted Domains: newsstand.com ([modernphysician] http in Trusted sites)
O15 - HKLM\..Trusted Domains: nursingquality.org ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: nxtbook.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: nxtbookmedia.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: on24.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: optiosoftware.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: palmettogba.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: practicematch.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: premierinc.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: qcnet.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: qnetexchange.org ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: questdiagnostics.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: questdiagnostics.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: redwood.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: robinsmorton.net ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: rwweb01 ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: seebeyond.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: sgasp.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: state.nc.us ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: streamlinehealth.net ([maxim] http in Trusted sites)
O15 - HKLM\..Trusted Domains: sun.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: sunaro2.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: suntrust.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: surveymonkey.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: thomsonhc.com ([healthcare] http in Trusted sites)
O15 - HKLM\..Trusted Domains: trend.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: va.gov ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: va.gov ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: verge-solutions.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: verge-solutions.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: vha.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: wachovia.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: wachovia.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: webex.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: webex.com ([netlearning] https in Trusted sites)
O15 - HKLM\..Trusted Domains: yahoo.com ([*.launch] * in Trusted sites)
O15 - HKLM\..Trusted Domains: zoho.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: zohom.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range1 ([*] in Local intranet)
O15 - HKLM\..Trusted Ranges: Range10 ([https] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range11 ([*] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range12 ([*] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range13 ([*] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range13 ([http] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range14 ([*] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range2 ([http] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range3 ([http] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range4 ([http] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range5 ([http] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range6 ([http] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range7 ([https] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range8 ([http] in Trusted sites)
O15 - HKLM\..Trusted Ranges: Range9 ([https] in Trusted sites)
O15 - HKCU\..Trusted Domains: novant.net ([nh] * in Local intranet)
O15 - HKCU\..Trusted Domains: novanthealth.org ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: novanthealth.org ([*.fm] * in Local intranet)

Then click on the run fix button up top.
 
Last edited:

bkribbs

New Member
Having a hard time editing that- should be noted that I did get flash uninstalled and updated, but the second program I couldn't uninstall.
 
Last edited:

johnb35

Administrator
Staff member
Download and use revo uninstaller to get rid of Java. Then download the latest version here if you really need it, most people don't.

www.java.com

http://www.revouninstaller.com/

Any issues?

Just for grins that error you were telling me about is getting to me.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

tdssstartscan_zps32a151cd.jpg


TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

2663-2-eng.png


To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.

2663_3_en.png


Please reboot the system if asked to do so.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please open the log and copy and paste it back here.
 

johnb35

Administrator
Staff member
Depends on the system.

Might want to consider running temp file cleaner. Should speed up pc some and its more in depth than Ccleaner.

http://www.bleepingcomputer.com/download/tfc/dl/92/


Download TFC from the download link above and save the file on your desktop.
Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
Double-click on the TFC icon.
When the program starts, click on the Start button. TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
When done, press OK to reboot your computer and finish the cleanup.
 

bkribbs

New Member
Depends on the system.

Might want to consider running temp file cleaner. Should speed up pc some and its more in depth than Ccleaner.

http://www.bleepingcomputer.com/download/tfc/dl/92/


Download TFC from the download link above and save the file on your desktop.
Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
Double-click on the TFC icon.
When the program starts, click on the Start button. TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
When done, press OK to reboot your computer and finish the cleanup.

Ok I'm doing that now. There are still popups coming up saying "Please update your windows drivers" and "Your Flash-player (but some knock off name) has an update available" and crap like that. Do we still have more to do?
 

johnb35

Administrator
Staff member
Can you post screenshots of those please. I don't see any driver update programs in your installed programs list.
 

bkribbs

New Member
Can you post screenshots of those please. I don't see any driver update programs in your installed programs list.

At one point there were, those were installed. I removed them first, but what he is seeing is pop-up offering to upgrade, but they may be gone. I'll post back if they do show up again.
 
Top