[jeffce]

Sounds good...I have a busy day today at work so my replies might have been limited anyway.

[Advertisements]

For the most part my computer works OK . . . it's just when it first starts up that it is terribly slow . . . but after a while it seems OK . . . but I think something is not right.

[crazyh]

For the most part my computer works OK . . . it's just when it first starts up that it is terribly slow . . . but after a while it seems OK . . . but I think something is not right.

[jeffce]

Hi,

There are many reasons why a computer might be running slowly...malware being one of them. I would wager to say that this is your problem though...

511.48 Mb Total Physical Memory | 101.85 Mb Available Physical Memory | 19.91% Memory free

Windows needs some elbow room to work efficiently and you are down on the low end of needed memory on your system.

[crazyh]

Here's the Malware Log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.17.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
User :: USER-2B0 [administrator]

5/17/2012 6:04:35 PM
mbam-log-2012-05-17 (18-04-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179070
Time elapsed: 14 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


I ran ESET but it wasn't like the one you described and I didn't get a log. But it did say no threats found.

Is that sufficient enough?

Thanks

[jeffce]

Yes that is just fine. How is your system running?

[crazyh]

For the most part it seems OK but takes a very long time, especially at start up, to get going and navigating from one site to another or for something to open. I didn't think I had a virus or spyware but you did state I was running out of memory. Do you think that is the issue and is there a fix for it?

Thanks

[jeffce]

Hi,

Please download TDSSKiller.zip

• Extract it to your desktop
• Double click TDSSKiller.exe
• when the window opens, click on Change Parameters
• under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
• click OK
• Press Start Scan
  
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now
• Attach the log in your next reply
  
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

[crazyh]

I ran the TDSS KIller program. I got a log but didn't find a way to copy and paste it. Anyway the scan found NO THREATS

Does that help?

[jeffce]

Hi,

Yes that helped.
---------

Let's get another scan to be sure...

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

[crazyh]

Hi Jeff:

I won't be able to get to this till Tuesday evening. I'm away for a couple days

Thanks for hanging in there with me

Tom

[jeffce]

Not a problem. I can keep the topic open. Thanks for letting me know.

[crazyh]

I'll try for tonight.

I know how to disable AVAST & Spyware Blaster. I don't believe I have to disable Malware Bytes because it's not automatically running.

Edited by crazyh, 21 May 2012 - 08:28 AM.

[jeffce]

Hi,

I don't think that SpywareBlaster will cause a problem. To disable Avast go to the Avast orb in the tool bar by your clock and right click on that. Go to Avast shields control and select Disable until computer is restarted.

[crazyh]

Here's the COmboFix Log:


ComboFix 12-05-21.05 - User 05/21/2012 17:23:45.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.123 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\User\WINDOWS
c:\windows\system\MTEXTRAE.FON
c:\windows\system\MTSYMBOE.FON
c:\windows\system\MTSYMITE.FON
.
.
((((((((((((((((((((((((( Files Created from 2012-04-21 to 2012-05-21 )))))))))))))))))))))))))))))))
.
.
2012-05-17 22:42 . 2012-05-17 22:42 -------- d-----w- c:\program files\ESET
2012-05-15 21:10 . 2012-05-15 21:10 -------- d-----w- C:\_OTL
2012-04-30 12:39 . 2012-04-30 12:39 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-30 12:38 . 2012-04-30 12:38 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-30 12:38 . 2012-04-30 12:38 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-24 21:46 . 2012-04-24 21:47 -------- d-----w- c:\program files\Recuva
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-20 16:00 . 2007-08-20 18:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-20 16:00 . 2010-06-14 20:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2010-07-01 21:36 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 01:25 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 01:25 . 2009-06-02 21:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-03-01 01:25 . 2004-08-04 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-03-01 01:25 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2012-02-29 14:10 . 2004-08-04 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-04 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-23 16:23 . 2010-06-29 21:31 41184 ----a-w- c:\windows\avastSS.scr
2012-02-23 16:23 . 2009-04-02 21:43 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-23 16:12 . 2011-08-05 18:30 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-23 16:12 . 2009-04-02 21:43 337112 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-23 16:10 . 2009-04-02 21:43 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-23 16:10 . 2009-04-02 21:43 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-23 16:10 . 2009-04-02 21:43 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-02-23 16:10 . 2009-04-02 21:43 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-02-23 16:10 . 2009-04-02 21:43 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-23 16:07 . 2009-04-02 21:43 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-04-30 12:38 . 2011-09-02 20:03 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2011-05-25 2301752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/5/2011 2:30 PM 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/2/2009 5:43 PM 337112]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/13/2010 5:11 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2009 5:43 PM 20696]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/30/2012 8:39 AM 129976]
S3 zlportio;ZLPORTIO - Allow user access to I/O ports;\??\e:\apps\DriverWizard\zlportio.sys --> e:\apps\DriverWizard\zlportio.sys [?]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 216.165.129.158
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ckuaolxr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-21 17:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-05-21 17:37:49
ComboFix-quarantined-files.txt 2012-05-21 21:37
.
Pre-Run: 59,253,633,024 bytes free
Post-Run: 59,203,686,400 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - AF722D83AF8246C1BFFDC659254A3CC3

[jeffce]

Hi,

That looks good.

Go ahead and update Malwarebytes and run a new scan with that as well as run a new scan with ESET and see if ComboFix shook anything else loose.

Attach both of the logs made to your next reply.