[hoopdub2]

Actually found something this time hehe, heres the log, i also ordereda stick of ram last night, should be here next week

RogueKiller V5.2.3 [06/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Mary Newton [Admin rights]
Mode: Scan -- Date : 06/18/2011 15:01:26

Bad processes: 1
[SUSP PATH] agrsmmsg.exe -- c:\windows\agrsmmsg.exe -> KILLED

Registry Entries: 1
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

[Advertisements]

I'm sure your machine will appreciate that RAM.

I'm not convinced those entries are actually wrong; I have a bit of research to do. I typically don't do a lot on weekends (I do all this from work), but I'll try to stop in, on and off. I'll be back in the saddle on Monday at any rate.

How is the machine running now, incidentally? Still very slow?

[havredave]

I'm sure your machine will appreciate that RAM.

I'm not convinced those entries are actually wrong; I have a bit of research to do. I typically don't do a lot on weekends (I do all this from work), but I'll try to stop in, on and off. I'll be back in the saddle on Monday at any rate.

How is the machine running now, incidentally? Still very slow?

[havredave]

More digging!

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[hoopdub2]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18372 (longhorn_ie8_rc1(wmbla).090115-0053)
# OnlineScanner.ocx=1.0.0.6526
# api_version=3.0.2
# EOSSerial=a4c031c5a955d24786ee321e3304f4a1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-18 08:31:44
# local_time=2011-06-18 09:31:44 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 563 563 0 0
# scanned=89649
# found=13
# cleaned=13
# scan_time=7707
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\01 - Brand New Bass Guitar.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\02 - Salvador.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\03 - Calm Down Dearest.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\04 - So Lonely Was The Ballad.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\05 - Back In The Game.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\06 - Operation.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\07 - Sheila.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\08 - Pacemaker.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\09 - Dry Off Your Cheeks.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\1-13 Shall (Remix).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\10 - Ike And Tina.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\11 - If You Got The Money.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mary Newton\My Documents\Matthew\music\jamie t\12 - Alicia Quays.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

[havredave]

Do you know if that machine has a default from-the-manufacturer Windows installation, or has it been reinstalled? There's one line in one of your OTL scans that isn't necessarily bad, but I'm trying to figure out its nature.

I see ESET pointed out the joys of peer to peer file sharing. It's always a risk downloading anything, especially from an unknown source such as the ones used with P2P sharing software.

In the meantime - have you defragmented the computer recently? I'm wondering if a little good old-fashioned maintenance would help your speed issues a bit. It's possible that the slow-down happening after killing IE was coincidental rather than sign of an infection, but I'm not going to rule anything out yet.

If you need any help with a defrag and/or a quick disk cleanup (I use the built-in Windows utility for that), let me know.

Oh and.. there's more pending. We're not done yet.

[hoopdub2]

did a defrag last night, haven't been back on my laptop to check if its any better as yet. im home in a few hours will keep you updated. i did save the log of the defrag if that's any good to you?

[havredave]

Only for the sake of curiosity.

Sure, go ahead and post it. I'm wondering what the initial fragmentation was, at any rate.

I might have something else to try in a little bit too.

[havredave]

I see you have Malwarebytes' Anti-Malware installed.

Please start MBAM.

• Click the Update tab. Press the Check for Updates button.
• If an update is found, it will download and install the latest version.
• Go back to the Scanner tab, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply, whether it found anything or not.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[hoopdub2]

defrag did nothing, if anything its running slower again

heres the mbam log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6912

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18372

21/06/2011 22:09:59
mbam-log-2011-06-21 (22-09-56).txt

Scan type: Quick scan
Objects scanned: 145282
Time elapsed: 37 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




heres the defrag log

Volume (C:)
Volume size = 37.26 GB
Cluster size = 4 KB
Used space = 27.76 GB
Free space = 9.50 GB
Percent free space = 25 %

Volume fragmentation
Total fragmentation = 0 %
File fragmentation = 1 %
Free space fragmentation = 0 %

File fragmentation
Total files = 100,258
Average file size = 349 KB
Total fragmented files = 2
Total excess fragments = 84
Average fragments per file = 1.00

Pagefile fragmentation
Pagefile size = 465 MB
Total fragments = 9

Folder fragmentation
Total folders = 6,972
Fragmented folders = 1
Excess folder fragments = 0

Master File Table (MFT) fragmentation
Total MFT size = 131 MB
MFT record count = 107,495
Percent MFT in use = 80 %
Total MFT fragments = 3

--------------------------------------------------------------------------------
Fragments File Size Files that cannot be defragmented
None

[havredave]

Waiting on feedback before our next step. Just a little deeper digging!

Have you had the hoax antivirus popups since we started cleaning, or is it just the slowdown that we're fighting against right now?

[hoopdub2]

Hi, no pop ups, just fitted the ram, running a lot quicker, no quicker than before all this though, seems very jumpy now. ive been googling some of the proceses ive seen in the task manager, and apparently some of them could possibly be wrong/malicious wuauclt.exe, agrsmmsg.exe, svchost.exe?? starting to think this laptop is going to have an accident

[havredave]

Actually, those three are legitimate. If they are in an incorrect location they can be bad, but they are not.

If you see others that you're wondering about, by all means, mention them. I don't think we've missed anything, but it's sure possible.

Have you installed a full-time antivirus yet? If you haven't, hold off until the next set of instructions, granted my reviewer OKs them.

[havredave]

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[hoopdub2]

combofix does not work, i loads, i click on the download recovery console, agree to the terms, yes to continue looking for malware. screen says scanning may take 10 mins or longer on badly infected pcs, then crashes, did it the first time for 25 mins then had to power off to shut down my pc, second time for an hour, crashed, screen did not update atall, again had to hold the power button as nothing would work.

[havredave]

That can happen, but an hour is a bit much. Was your hard drive activity light going when it seemed like it was doing nothing? Often, Combofix won't give any outward indication that it's doing anything, when it is.

Do be sure you don't click in the Combofix window either, as the instructions mention. That can cause it to hang.

In the meantime, I'll offer an alternative step to my reviewer; hopefully I'll have something to post by the time you get back to me, if it doesn't work again.