[Compz]

Hi,

I went to the preventions page and did a disk cleanup, and cleaned up prior restore points, but the computer is still slow. I performed a full scan with SuperAntispware and the log is below as well as a new hijackthis log. I still feel the computer is infected. Thank you kindly for your help.

SuperAntispyware Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/10/2008 at 01:50 PM

Application Version : 3.9.1008

Core Rules Database Version : 3396
Trace Rules Database Version: 1388

Scan type : Complete Scan
Total Scan Time : 00:19:30

Memory items scanned : 261
Memory threats detected : 0
Registry items scanned : 3990
Registry threats detected : 0
File items scanned : 13878
File threats detected : 22

Adware.Tracking Cookie
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@realmedia[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@zedo[2].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@revsci[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@fastclick[2].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@doubleclick[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@2o7[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@burstnet[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@a[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@adserver[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@tribalfusion[2].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][2].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@adrevolver[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@directtrack[2].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][3].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@atdmt[2].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@advertising[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][2].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][2].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][1].txt

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:36 PM, on 2/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Unknown owner - C:\WINDOWS\system32\HPConfig.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 2218 bytes

[Advertisements]

Hi,

What Superantispyware found are only cookies.

Why did you uninstall Avira again? How are you supposed to prevent malware if you uninstalled it again?

I also see that suddenly some HP software was also deleted? Did you delete it? Why?

Can redownload Combofix so I can take a look? Because from what I see here, you've deleted some other programs in between and from what I see here, there are still a lot of orphaned entries related with these programs.
Also, the Combofix log should show if you're still infected...

By the way, can you also tell me what exactly is slow? Is it your Internet? Internet Explorer? Startup? slow in general?
Also tell me your computer specs... How much ram you have etc..

Edited by miekiemoes, 10 February 2008 - 01:41 PM.

[miekiemoes]

Hi,

What Superantispyware found are only cookies.

Why did you uninstall Avira again? How are you supposed to prevent malware if you uninstalled it again?

I also see that suddenly some HP software was also deleted? Did you delete it? Why?

Can redownload Combofix so I can take a look? Because from what I see here, you've deleted some other programs in between and from what I see here, there are still a lot of orphaned entries related with these programs.
Also, the Combofix log should show if you're still infected...

By the way, can you also tell me what exactly is slow? Is it your Internet? Internet Explorer? Startup? slow in general?
Also tell me your computer specs... How much ram you have etc..

Edited by miekiemoes, 10 February 2008 - 01:41 PM.

[Compz]

Hi,

I have installed Avira again. I thought it might get infected again if I left it there. I deleted the HP Config and HP WirelessMgr thinking they contained the virus. I am happy to report that I am not getting the annoying pop ups, but still feel the computer is not running to its optimal speed. It's the sound when it boots up it's like it runs for a few seconds and then you can hear it slow down a bit. The computer's ram is 192 MB. It is Windows XP-Home Edition, Service Pack 1 installed, hp pavillion ze4400, 1.05 GHz. Let me know if you need more info on my computer. Down below is a combo fix and a hijackthis log. Thanks again for your help.

ComboFix 08-02.05.3 - Magda Zapata 2008-02-10 15:20:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.72 [GMT -5:00]
Running from: C:\Documents and Settings\Magda Zapata\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 15:05 . 2008-02-10 15:05 <DIR> d-------- C:\Program Files\Avira
2008-02-10 11:41 . 2008-02-10 11:41 <DIR> d-------- C:\nup
2008-02-10 00:12 . 2002-08-28 21:00 375,808 --a------ C:\kmd.exe
2008-02-09 13:56 . 2002-08-29 01:05 245,920 --a------ C:\cmldr
2008-02-07 19:46 . 2008-02-10 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-06 21:17 . 2008-02-06 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 19:20 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 18:55 . 2008-02-10 11:33 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-06 18:55 . 2008-02-06 18:55 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 18:55 . 2008-02-06 18:55 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 22:57 . 2008-02-05 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 22:56 . 2008-02-10 14:25 <DIR> d-------- C:\Documents and Settings\Magda Zapata\Application Data\SUPERAntiSpyware.com
2008-02-05 18:54 . 2008-02-05 18:54 <DIR> d-------- C:\Documents and Settings\Magda Zapata\Application Data\Malwarebytes
2008-02-05 18:53 . 2008-02-05 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-05 00:02 . 2008-02-05 00:02 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 18:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 18:00 --------- d-----w C:\Program Files\EPSON Print CD
2008-02-09 20:10 --------- d-----w C:\Documents and Settings\Magda Zapata\Application Data\Webshots
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 16:14 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CARPService"="carpserv.exe" [2003-04-14 20:00 4608 C:\WINDOWS\system32\carpserv.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-09 13:37 290816]
"TV Now"="C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" [ ]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-10 15:11 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\Quicken\billmind.exe [2002-09-20 11:19:46 36864]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 10:05:56 65588]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 11:20:02 53248]
Quicken Startup.lnk - C:\Program Files\Quicken\QWDLLS.EXE [2002-09-20 11:20:06 36864]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\System32\drivers\caliaud.sys [2002-11-05 10:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\System32\drivers\calihal.sys [2002-11-05 10:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\System32\DRIVERS\DP83815.SYS [2002-08-28 19:00]

*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - SSMDRV
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 15:22:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 15:23:14

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:31 PM, on 2/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Unknown owner - C:\WINDOWS\system32\HPConfig.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 2774 bytes

[miekiemoes]

Hi,

I deleted the HP Config and HP WirelessMgr thinking they contained the virus.

No, because they were services and in this case services won't get infected.

The computer's ram is 192 MB.

Well, that explains it all. This is way toooo low. For XP ONLY you need at least 256MB of ram. 512MB and up would be ideal if you have a lot of other programs installed.

You really need to add more ram though, because there's nothing else we can do to speed things up.
Not sure if you have read my "Slow Computer Page", but that's what it says in one of my first lines - the amount of ram. And looking at your computer specs, this sounds like this is an old computer as well. Old computers run slower, this is normal.

[miekiemoes]

Check and fix next entries in HijackThis:

next are orphaned entries:

O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s

Next is a resource hog:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

The rest of your log still looks OK, so the infection is gone - I am sure of that

Uninstall your Combofix again as well.

[Compz]

Hi,

Thank you very much for helping clear my computer of these nasty bugs. I uninstalled Combofix and I ran Antivir another time and it came back with no detections of viruses! Yeah we are in the clear:)

A great big thanks to you! I have one last question. Do I need to restore the HPConfig and the HPWirelessMgr that deleted? If so, how do I do this?

Thanks,
Magda

[miekiemoes]

Hi,

What you deleted was a part of Notebook Utilities: http://h10025.www1.h...item=ob-22772-1
But if you don't really use it, then there's no need to reinstall it again. After all, in your case since you only have 192 MB of ram, every extra program running in the background is already one program too much, because your memory can't deal with it.
Most important thing is still - make sure your Antivirus is always active - no matter how much ram you have.

[Compz]

Hi,

Thanks again for this information and you bet I will keep my antivirus active. I don't want this to happen again. Thanks for your help!

[miekiemoes]

You're welcome

[miekiemoes]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.