slow pc.Pop ups/ With hijackthis log file

[ceewi1]

Please go to http://savefile.com and upload the file there. There is no need to register, just click the "UPLOAD MY FILE" button. After you upload the file, please post the link to the file. That way, anyone on the board can see the log almost as easily as if it were posted here.

 

[tsi18psi]

http://www.savefile.com/files/1198150

Here you go. So did that log look bad so far?

 

[ceewi1]

That's the biggest Kaspersky log I've ever seen! Fortunately no signs of the file infector I'd suspected, though, so we should be able to clean this, but there's quite a bit of work to do. We'll start with a few automated scans, which will remove a lot of it:

Download Dr.Web CureIt to the desktop, but do not run it yet:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Please download ATF Cleaner by Atribune, but do not run it yet.

Please download AVG Anti-Spyware from HERE and save that file to your desktop.

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon Update.
   • Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
5. Once in the Settings screen click on Recommended actions and then select Quarantine.
6. Under Reports
   • Select Do not automatically generate reports
   • Un-Select Only if threats were found
7. Please close AVG Antispyware without running a scan.

Next, please reboot your computer in Safe Mode (tap F8 before Windows starts to load and select Safe Mode from the list)

Please run ATF-Cleaner:

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please run Dr. Web CureIt:

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

Please open AVG Anti-Spyware

• Run a complete system scan with AVG Anti-Spyware.
  IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:
• Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select Apply all actions
• Next select the Reports icon at the top.
• Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware

Please reboot your system into Normal Mode, and post:

• The Dr. Web CureIt report
• The AVG Anti-Spyware Report
• A new HijackThis log

Please use http://savefile.com for any logs that are too large to post here.

 

[tsi18psi]

Ok Im ganna go download those scanners rite now.

Thanks by the way for all the help.

 

[tsi18psi]

So I downloaded all the scanners last night and saved them to my desktop.
when I rebooted and opened in safe mode the only scanner I could find was AVG. The other 2 I couldnt find anywhere. Any ideas?

 

[ceewi1]

Did you log on with your usual account? If you used the Administrator account, it would have had a different desktop. Try moving the other scanners to your C: drive, rather than the Desktop and retry.

 

[tsi18psi]

Yes I logged into the admin. account in safe mode.
I found them.
Did it matter what order I ran them in?

 

[tsi18psi]

http://www.savefile.com/files/1200349

Heres is the link to the AVG scan results.(I ran this first because /i could not find the others.)

http://www.savefile.com/files/1200365
There is the DrWeb results

 

[ceewi1]

That's good, could I please see a new HijackThis log. The order of those two scans isn't a problem - they've removed what I expected them to.

 

[tsi18psi]

Ok, Im getting ready to do the hijack this scan now.
I did it once but I can not find the save report.

 

[tsi18psi]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:53 PM, on 11/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\WCMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservices.passport.net/reg.srf?xpwiz=true&lc=1033&fid=RegXPWizCredOnly
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [_Res] c:\hp\bin\cloaker c:\hp\bin\SetRes\SetRes.bat
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Stardust Wallpaper Control 2003.lnk = C:\WINDOWS\WCMain.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18D259BD-77B4-40CC-93AC-404A16901D81}: NameServer = 205.188.146.145
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4437 bytes

 

[ceewi1]

That's a huge improvement, your logfile appears to be clean. How are things now?

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths in the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  

  C:\Documents and Settings\Administrator\Desktop\LimeWire\_
  C:\Documents and Settings\Default User\Desktop\LimeWire\_
  C:\Documents and Settings\Owner\Desktop\LimeWire\_
  C:\WINDOWS\system32\config\systemprofile\Desktop\LimeWire\_
  C:\Program Files\Arcade.EXE
  C:\Program Files\arcade-2.4.exe
  C:\Documents and Settings\Owner\install.exe
  C:\Documents and Settings\Default User\TBONWnd.EXE
  C:\Documents and Settings\Administrator\TBONWnd.EXE
  C:\Documents and Settings\Administrator\install.exe
  C:\Documents and Settings\Default User\install.exe
  C:\WINDOWS\system32\config\systemprofile\install.exe
  C:\WINDOWS\system32\ethc.dll
  C:\WINDOWS\system32\install.exe	
  C:\WINDOWS\system32\MS13.exe
  C:\WINDOWS\system32\p2pnetworking.exe
  C:\WINDOWS\system32\vMW07a
  C:\WISetup.exe
  D:\do_work\kysolbeg.exe	
  D:\do_work\ayqgbrps.exe	
  C:\WINDOWS\system32\config\systemprofile\TBONWnd.EXE

  
  
• Return to OTMoveIt, right click on the Paste List of Files/Folders to be moved window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please also turn off System Restore, and turn it back on again. This will clean out your infected Restore Points. To do so:

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Then to turn it back on again:
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

There are a few very important updates I would strongly recommend.

I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. AVG makes an excellent free antivirus client, as do AntiVir or avast!. Please download and install one of the above antivirus programs, and allow it to run a full scan. Let me know if you have any troubles with the installation, or if the scan finds anything it can't remove.

Please consider maintaining a firewall, as it is a vital element of your overall system security. Some good free firewalls are ZoneAlarm, Kerio, or Outpost

You desperately need to update your Windows XP to Service Pack 2 since it is probably the most important security update they have ever created and running without it almost guarantees you will get infected again. You can obtain Service Pack 2 from http://update.microsoft.com/

Once you've updated to Service Pack 2, please also download all critical updates from http://update.microsoft.com/

Please post a report on how your system is running after the upgrade to Service Pack 2, as any problems with the update may indicate that malware is still present.

 

[tsi18psi]

Ummmm. Its about 15% better.
Do I run that scan in safe mode?

 

[ceewi1]

Normal Mode is fine.

 

[tsi18psi]

I dont get what your talking about copy thr file paths in the code box to ther clipboard...............

Is this something I do before or after the scan? I dont get what you want me to do?

 

[ceewi1]

OTMoveIt will remove those specific files, rather than running any sort of scan. What I would like you to do is copy that list of files in the codebox into the "Paste List of Files/Folders to be moved" section of OTMoveIt, before clicking the red MoveIt! button. That will instruct OTMoveIt to remove those specific files.

One way of copying those files is to highlight them all and press Ctrl+C. Then, open up OTMoveIt, right click in the "Paste List of Files/Folders to be moved" section and choose Paste

 

[tsi18psi]

C:\Documents and Settings\Administrator\Desktop\LimeWire\_ moved successfully.
C:\Documents and Settings\Default User\Desktop\LimeWire\_ moved successfully.
C:\Documents and Settings\Owner\Desktop\LimeWire\_ moved successfully.
C:\WINDOWS\system32\config\systemprofile\Desktop\LimeWire\_ moved successfully.
C:\Program Files\Arcade.EXE moved successfully.
C:\Program Files\arcade-2.4.exe moved successfully.
File/Folder C:\Documents and Settings\Owner\install.exe not found.
File/Folder C:\Documents and Settings\Default User\TBONWnd.EXE not found.
File/Folder C:\Documents and Settings\Administrator\TBONWnd.EXE not found.
File/Folder C:\Documents and Settings\Administrator\install.exe not found.
File/Folder C:\Documents and Settings\Default User\install.exe not found.
File/Folder C:\WINDOWS\system32\config\systemprofile\install.exe not found.
File/Folder C:\WINDOWS\system32\ethc.dll not found.
File/Folder C:\WINDOWS\system32\install.exe not found.
File/Folder C:\WINDOWS\system32\MS13.exe not found.
File/Folder C:\WINDOWS\system32\p2pnetworking.exe not found.
C:\WINDOWS\system32\vMW07a moved successfully.
C:\WISetup.exe moved successfully.
File/Folder D:\do_work\kysolbeg.exe not found.
File/Folder D:\do_work\ayqgbrps.exe not found.
File/Folder C:\WINDOWS\system32\config\systemprofile\TBONWnd.EXE not found.

Created on 11/17/2007 02:00:56

 

[tsi18psi]

Ok I did that It moved the entire list to the Results file.
Was I supposed to click Clean up before posted the list?

 

[ceewi1]

That's fine - you can click the CleanUp button now - it will remove the backups that OTMoveIt created as well as the program itself.

 

[tsi18psi]

When I hit cleanup i get this: Cannot open file :\cleanup.txt.