Author Topic: slow infected laptop  (Read 10207 times)

0 Members and 1 Guest are viewing this topic.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
slow infected laptop
« on: July 11, 2012, 08:55:38 PM »
Hello,

My niece's Dell Inspiron 1545 is running vista home premium 32bit. was complaining about it being sluggish and slow to boot.
I deselected several unecessary start up items and ran mwb in safemode which founds 264 items. Mainly pup.mywebsearch or the like along with a few trojans - BHO and Dropper. I did save the log if needed.

I also removed utorrent and frostwire along wih a few extra toolbars.

Here is the checkup.txt:

 Results of screen317's Security Check version 0.99.42 
 Windows Vista Service Pack 2 x86 (UAC is enabled) 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Microsoft Security Essentials   
  (On Access scanning disabled!)
 Error obtaining update status for antivirus! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Malwarebytes Anti-Malware version 1.61.0.1400 
 TuneUp Companion 1.9.0   
 Java(TM) 6 Update 30 
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Flash Player    11.1.102.62 
 Adobe Reader 8 Adobe Reader out of Date!
 Google Chrome 19.0.1084.46 
 Google Chrome 19.0.1084.56 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 9 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````[/u]

Here is the the dds.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19272
Run by Aaliyah Kilbourne at 17:25:59 on 2012-07-11
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3034.1550 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Dell\apache\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\BBSvc.EXE
C:\Program Files\Common Files\Dell\apache\bin\httpd.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Dell\MySQL\bin\mysqld.exe
C:\Program Files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe
C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
c:\Program Files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\sminst\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\windows\SMINST\Components\scheduler\STService.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No File
BHO: Yontoo Layers (Drop Down Deals): {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime (drop down deals)\YontooIEClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: HyperCam Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\hypercam toolbar\tbcore3.dll
TB: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files\somototoolbar\vmntemplateX.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [MediaGet2] c:\users\aaliyah kilbourne\appdata\local\mediaget2\mediaget.exe --minimized
uRun: [Facebook Update] "c:\users\aaliyah kilbourne\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Launcher] %WINDIR%\SMINST\Components\scheduler\Launcher.exe
StartupFolder: c:\users\aaliya~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www.freerealms.com/gamedata/FreeRealmsInstaller.cab
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2009.4.9.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{78C7D670-D03A-4507-9331-32218139DE48} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CA751E5C-C08C-47DD-B897-54EEB75B4976} : DhcpNameServer = 65.32.5.111 65.32.5.112
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f6ef8056\AEstSrv.exe [2009-6-20 81920]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 Apache2.2;Remote Access Media Server;c:\program files\common files\dell\apache\bin\httpd.exe [2007-9-21 15872]
R2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 dsl-db;Remote Access DB;c:\program files\common files\dell\mysql\bin\mysqld.exe [2007-9-14 5730304]
R2 dsl-fs-sync;Remote Access File Sync Service;c:\program files\common files\dell\remote access file sync service\dsl_fs_sync.exe [2009-1-5 173296]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-8-27 1253376]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 SftService;SoftThinks Agent Service;c:\windows\sminst\SftService.exe [2009-6-20 632048]
R3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-7 54632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-20 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-20 40552]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\dellsu~1\hwdiag\bin\PCD5SRVC.pkms [2008-11-4 22904]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusb.sys [2002-2-20 70016]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2012-07-11 21:11:37   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-07-11 20:53:35   708608   ----a-w-   c:\program files\common files\system\ado\msado15.dll
2012-07-11 20:53:30   1401856   ----a-w-   c:\windows\system32\msxml6.dll
2012-07-11 20:53:30   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-11 20:53:26   440704   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-07-11 20:53:25   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-07-11 20:53:25   204288   ----a-w-   c:\windows\system32\ncrypt.dll
2012-07-11 20:33:17   713784   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{386d93b8-f4e5-45d7-a17c-b974a0f47a5b}\gapaengine.dll
2012-07-11 20:31:53   6762896   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{888545ff-08f0-4a11-8c19-1b917058edf2}\mpengine.dll
2012-07-11 20:24:15   --------   d-----w-   c:\program files\Microsoft Security Client
2012-07-11 20:23:17   221568   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-07-11 19:52:58   --------   d-----w-   c:\program files\VS Revo Group
2012-07-11 17:37:36   --------   d-----w-   c:\users\aaliyah kilbourne\appdata\roaming\Malwarebytes
2012-07-11 17:37:32   --------   d-----w-   c:\programdata\Malwarebytes
2012-07-11 17:37:31   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-07-11 17:37:31   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-07-11 17:07:08   --------   d-----w-   c:\windows\pss
2012-07-03 09:26:18   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-07-03 09:24:39   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-07-03 09:23:47   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-07-03 09:23:47   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-12 20:58:54   984064   ----a-w-   c:\windows\system32\crypt32.dll
2012-06-12 20:58:37   133120   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-06-12 20:58:25   98304   ----a-w-   c:\windows\system32\cryptnet.dll
2012-06-12 20:55:59   197632   ----a-w-   c:\program files\internet explorer\IEShims.dll
2012-06-12 20:55:59   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-12 20:55:58   71680   ----a-w-   c:\windows\system32\iesetup.dll
2012-06-12 20:55:58   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-06-12 20:55:58   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2012-06-12 20:55:53   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-12 20:38:48   180736   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
.
==================== Find3M  ====================
.
2012-05-15 06:37:49   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-05-15 06:32:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-05-15 05:01:56   385024   ----a-w-   c:\windows\system32\html.iec
.
============= FINISH: 17:27:13.10 ===============


Here is the attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 6/19/2009 6:58:39 PM
System Uptime: 7/11/2012 5:16:07 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0G848F
Processor: Celeron(R) Dual-Core CPU       T3000  @ 1.80GHz | Microprocessor | 1795/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 218 GiB total, 44.667 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 15 GiB total, 8.871 GiB free.
F: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: Screaming Bee Audio
Device ID: ROOT\MEDIA\0000
Manufacturer: Screaming Bee
Name: Screaming Bee Audio
PNP Device ID: ROOT\MEDIA\0000
Service: SCREAMINGBDRIVER
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
4500_G510af_Help
4500G510af
4500G510af_Software_Min
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8
Adobe Shockwave Player 11.5
Akamai NetSession Interface
Akamai NetSession Interface Service
Amnesia - The Dark Descent
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
AVS Update Manager 1.0
Bing Bar
Bonjour
BufferChm
CameraHelperMsi
Carbonite Online Backup Setup
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conduit Engine
Corel Graphics - Windows Shell Extension
Dell-eBay
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Dock
Dell Edoc Viewer
Dell Getting Started Guide
Dell Remote Access
Dell Support Center (Support Software)
Dell Touchpad
Dell Wireless WLAN Card Utility
Destinations
DeviceDiscovery
DivX Plus Web Player
DocMgr
DocProc
Drivers Install For Linksys Easylink Advisor
EA Download Manager
erLT
Facebook Video Calling 1.2.0.159
Fax
Façade
Firebird SQL Server - MAGIX Edition
FL Studio 10
Google Chrome
GoToAssist 8.0.0.514
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510a-f
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPProductAssistant
HPSSupply
HyperCam Toolbar
IL Download Manager
IMVU Avatar Chat Software
Instant Play Guitar Express
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java(TM) 6 Update 30
Junk Mail filter update
Katawa Shoujo
Linksys EasyLink Advisor 1.6 (0032)
Logitech Vid HD
Logitech Webcam Software
Love & Order
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Magic ISO Maker v5.5 (build 0281)
MAGIX Screenshare
MAGIX Speed 2 (MSI)
Malwarebytes Anti-Malware version 1.61.0.1400
MarketResearch
MediaGet2 version 2.1.538.0
MediaGet2 version 2.1.716.0
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Studio Tools for Applications 2.0 Runtime
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Works
Microsoft WSE 3.0 Runtime
Microsoft XNA Framework Redistributable 3.0
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Game Studio 3.1
Microsoft XNA Game Studio 3.1 (ARP entry)
Microsoft XNA Game Studio 3.1 (Platformer)
Microsoft XNA Game Studio 3.1 (Redists)
Microsoft XNA Game Studio 3.1 (Shared Components)
Microsoft XNA Game Studio 3.1 (VCSExpress)
Microsoft XNA Game Studio 3.1 (XnaLiveProxy)
Microsoft XNA Game Studio 3.1 Documentation
Microsoft XNA Game Studio Platform Tools
Mobile Broadband Generic Drivers
MobileMe Control Panel
MorphVOX Pro
MP3 Rocket FileBulldog Toolbar
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Coach Player
My Magical Cosplay Cafe 1.0
Nancy Drew: The Curse of Blackmoor Manor
OCR Software by I.R.I.S. 13.0
OGA Notifier 2.0.0048.0
ooVoo
OpenOffice.org 3.1
osu!
Pando Media Booster
PESTERCHUM
PowerDVD DX
QuickSet
QuickTime
RE: Alistair++ 1
Revo Uninstaller 1.94
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Safari
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Shop for HP Supplies
Skype Click to Call
Skype™ 5.8
SmartWebPrinting
SolutionCenter
Spotify
SQL Server System CLR Types
Status
TalkAndWrite
Text-To-Speech-Runtime
The Sims Medieval
The Sims™ 3
The Sims™ 3 World Adventures
ToggleEN Toolbar
Toolbox
TrayApp
TuneUp Companion 1.9.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VC80CRTRedist - 8.0.50727.4053
video-processor
Virtual DJ - Atomix Productions
VirtualCloneDrive
VLC media player 1.0.3
WebReg
WhiteBoardMeeting
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
Yontoo Layers Runtime (Drop Down Deals) 1.10.01
.
==== Event Viewer Messages From Past Week ========
.
7/5/2012 2:24:04 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
7/11/2012 5:22:16 PM, Error: netbt [4321]  - The name "SCOTT-PC       :0" could not be registered on the interface with IP address 192.168.2.150. The computer with the IP address 192.168.2.148 did not allow the name to be claimed by this computer.
7/11/2012 5:19:15 PM, Error: Service Control Manager [7000]  - The Intel(R) PRO/1000 PCI Express Network Connection Driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/11/2012 5:19:15 PM, Error: Service Control Manager [7000]  - The Intel(R) PRO/1000 NDIS 6 Adapter Driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/11/2012 5:19:15 PM, Error: Service Control Manager [7000]  - The Instant Wireless USB Network Adapter ver.2.6 Driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/11/2012 5:02:25 PM, Error: netbt [4321]  - The name "JILL-PC        :0" could not be registered on the interface with IP address 192.168.2.150. The computer with the IP address 192.168.2.147 did not allow the name to be claimed by this computer.
7/11/2012 4:29:27 PM, Error: VDS Dynamic Provider [10]  - The provider failed while storing notifications from the driver. The Virtual Disk Service should be restarted. hr=80042505
7/11/2012 3:49:43 PM, Error: netbt [4321]  - The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.2.150. The computer with the IP address 192.168.2.148 did not allow the name to be claimed by this computer.
7/11/2012 3:46:00 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/11/2012 3:45:59 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/11/2012 3:45:30 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
7/11/2012 3:45:29 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/11/2012 3:45:22 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/11/2012 3:44:46 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
7/11/2012 3:42:44 PM, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
7/11/2012 3:42:02 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  ElbyCDIO spldr Wanarpv6
7/11/2012 3:42:02 PM, Error: Service Control Manager [7001]  - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
7/11/2012 3:42:02 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
7/11/2012 3:41:01 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000]  - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv.dll Error Code: 21
7/11/2012 3:40:44 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048]  - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
7/11/2012 3:40:44 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
7/11/2012 12:49:30 PM, Error: EventLog [6008]  - The previous system shutdown at 12:46:17 PM on 7/11/2012 was unexpected.
7/11/2012 12:46:18 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
7/11/2012 1:20:55 PM, Error: Service Control Manager [7043]  - The Windows Update service did not shut down properly after receiving a preshutdown control.
7/11/2012 1:11:50 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Akamai service.
.
==== End Of File ===========================

sheesh, that took awhile cuz her keyboard had something spilled on it so some keys are sticky and some don't work.lol

anyway, also for some reason everytime it boots I get the beeping noise and it wants me to the os, only one is listed.

Thank you for any assistance.

4





Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: slow infected laptop
« Reply #1 on: July 11, 2012, 09:41:22 PM »
Hi, 4on4off.

Holy toolbars!  I see remnants of what you've removed.  The remnants will be dealt with.  I suggest removing the following:

Conduit Engine -- adware/trackware
GoToAssist 8.0.0.514 -- Remote assistance software.  Since the Dell is out of warranty, I suggest removing.
ooVoo -- detected by ESET's Nod32 antivirus as Win32/Adware.Toolbar.Visicom
ToggleEN Toolbar -- adware, part of Conduit family

We'll look at the outdated programs a bit later.  It is very possible that you are being asked to select an OS because of damage due to the spill.

Please follow these instructions carefully.

Download ComboFix from the following location:  Link 1

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: slow infected laptop
« Reply #2 on: July 11, 2012, 10:28:27 PM »
Corrine,

Here is he combofix log:

ComboFix 12-07-11.03 - Aaliyah Kilbourne 07/11/2012  19:09:41.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3034.1715 [GMT -4:00]
Running from: c:\users\Aaliyah Kilbourne\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\HyperCam Toolbar\tbCOre3.dll
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\program files\somototoolbar\vmNTemplatex.dll
c:\users\Aaliyah Kilbourne\AppData\Local\Microsoft\Windows\Temporary Internet Files\CuJBD__vO1_
c:\users\Aaliyah Kilbourne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Gdf_4LN6OcVOIYM
c:\users\Aaliyah Kilbourne\AppData\Local\Microsoft\Windows\Temporary Internet Files\kSyI1AQ_-P7_
c:\users\Public\AkamaiDownloadManagerInstaller.exe
c:\users\Public\kSolo_Install1_2_1_41.exe
c:\users\Public\MorphVOXPro4_Install-1.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\212aa8d2.dll
c:\windows\system32\d7998c4.dll
E:\AUTORUN.INF
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-11 to 2012-07-11  )))))))))))))))))))))))))))))))
.
.
2012-07-11 23:20 . 2012-07-11 23:20   --------   d-----w-   c:\users\Aaliyah Kilbourne\AppData\Local\temp
2012-07-11 21:58 . 2012-06-18 07:14   6762896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAAB4DE5-C23F-488B-BC91-DE617A5E96B8}\mpengine.dll
2012-07-11 21:11 . 2012-06-13 13:40   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-07-11 20:53 . 2012-06-05 16:47   708608   ----a-w-   c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 20:53 . 2012-06-05 16:47   1401856   ----a-w-   c:\windows\system32\msxml6.dll
2012-07-11 20:53 . 2012-06-05 16:47   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-11 20:53 . 2012-06-04 15:26   440704   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-07-11 20:53 . 2012-06-02 00:04   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-07-11 20:53 . 2012-06-02 00:03   204288   ----a-w-   c:\windows\system32\ncrypt.dll
2012-07-11 20:33 . 2012-02-09 18:17   713784   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{386D93B8-F4E5-45D7-A17C-B974A0F47A5B}\gapaengine.dll
2012-07-11 20:24 . 2012-07-11 20:25   --------   d-----w-   c:\program files\Microsoft Security Client
2012-07-11 20:23 . 2010-04-05 20:00   221568   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-07-11 19:52 . 2012-07-11 19:52   --------   d-----w-   c:\program files\VS Revo Group
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Malwarebytes
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\programdata\Malwarebytes
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-07-11 17:37 . 2012-04-04 19:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-07-03 09:26 . 2012-06-02 22:19   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-07-03 09:26 . 2012-06-02 22:19   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-07-03 09:26 . 2012-06-02 22:12   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-07-03 09:26 . 2012-06-02 22:19   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-07-03 09:24 . 2012-06-02 22:19   35864   ----a-w-   c:\windows\system32\wups.dll
2012-07-03 09:24 . 2012-06-02 22:19   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-07-03 09:24 . 2012-06-02 22:12   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-07-03 09:23 . 2012-06-02 19:19   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-07-03 09:23 . 2012-06-02 19:12   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-12 20:58 . 2012-04-23 16:00   984064   ----a-w-   c:\windows\system32\crypt32.dll
2012-06-12 20:58 . 2012-04-23 16:00   133120   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-06-12 20:58 . 2012-04-23 16:00   98304   ----a-w-   c:\windows\system32\cryptnet.dll
2012-06-12 20:55 . 2012-05-15 06:31   197632   ----a-w-   c:\program files\Internet Explorer\IEShims.dll
2012-06-12 20:55 . 2012-05-15 03:26   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-12 20:55 . 2012-05-15 06:32   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-06-12 20:55 . 2012-05-15 06:31   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2012-06-12 20:55 . 2012-05-15 06:31   71680   ----a-w-   c:\windows\system32\iesetup.dll
2012-06-12 20:55 . 2012-05-15 03:23   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-12 20:38 . 2012-05-01 14:03   180736   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"MediaGet2"="c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe" [2011-06-29 6841576]
"Facebook Update"="c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-01 217088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-01 483428]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
.
c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Remote Access.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
backup=c:\windows\pss\Dell Remote Access.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Aaliyah Kilbourne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Aaliyah Kilbourne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-10-29 03:33   3292248   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-13 06:29   47392   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28   59240   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2010-09-15 11:12   281744   ----a-w-   c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-11-13 21:15   1807600   ----a-w-   c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 23:16   454784   ----a-w-   c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-07-11 21:22   138096   ----atw-   c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-20 03:54   136176   ----atw-   c:\users\Aaliyah Kilbourne\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24   54840   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 23:05   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 17:18   205336   ----a-w-   c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGet2]
2011-06-29 16:53   6841576   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12   3872080   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-10-25 01:34   2923192   ----a-w-   c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 02:26   128232   ------w-   c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-02-29 12:55   17148552   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2012-07-11 16:55   7609560   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-11 16:55   1192664   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44   85160   ----a-w-   c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23   1008184   ----a-w-   c:\program files\Windows Defender\MSASCui.exe
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe

.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
Akamai   REG_MULTI_SZ      Akamai
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4143027877-4185091322-3881734219-1000Core.job
- c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-10 21:22]
.
2012-07-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4143027877-4185091322-3881734219-1000UA.job
- c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-10 21:22]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143027877-4185091322-3881734219-1000Core.job
- c:\users\Aaliyah Kilbourne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-20 03:54]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143027877-4185091322-3881734219-1000UA.job
- c:\users\Aaliyah Kilbourne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-20 03:54]
.
2012-07-11 c:\windows\Tasks\User_Feed_Synchronization-{6FE96B10-E20B-4E69-8FA4-D59D7FAF518A}.job
- c:\windows\system32\msfeedssync.exe [2012-06-12 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
WebBrowser-{E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - (no file)
WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\4.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
MSConfigStartUp-ooVoo - c:\program files\ooVoo\ooVoo.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-11 19:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(724)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-07-11  19:23:48
ComboFix-quarantined-files.txt  2012-07-11 23:23
.
Pre-Run: 56,848,965,632 bytes free
Post-Run: 59,474,939,904 bytes free
.
- - End Of File - - 3EE4A5E7F912CEFD5B330ADD769B0572

I already see an improvemnt in response time when opening a browser!

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: slow infected laptop
« Reply #3 on: July 11, 2012, 10:59:25 PM »
You're right.  ComboFix certainly lifted quite a load off that machine.

Regarding being asked to select an OS, let's see if System File Checker helps. 

To determine whether the issue that you are experiencing is caused by one or more system files that are used by Windows, run the System File Checker tool. The System File Checker tool scans system files and replaces incorrect versions of the system files by using the correct versions.

To run the System File Checker tool, follow these steps:
  • Click Start, and then type cmd in the Start Search box.
  • Right-click cmd in the Programs list, and then click Run as administrator.
  • If you are prompted for an administrator password or confirmation, type your password or click Continue
  • At the command prompt, type the following line, and then press ENTER:

sfc /scannow (note the space before the forward slash)
  • When the scan is complete, test to see whether the issue that you are experiencing is resolved.



Let's get Adobe Reader and Java updated.

The current version of Adobe Reader is available at http://get.adobe.com/reader/.  Be sure to UNcheck the offered McAfee scan.  It is not needed.

For Java, please uninstall Java 6 and download JRE7u5 from http://www.oracle.com/technetwork/java/javase/downloads/index.html (Watch for unwanted extras with Java too!)



Please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: slow infected laptop
« Reply #4 on: July 12, 2012, 12:08:13 AM »
Sorry for the delay, I had to run my kid across town.

I ran the sfc scan and it found some corrupted files, I saved a snip it and the log in case you want to see them.

I got java updated but when I tried to update adobe it said something was using adobe8 and needed to be stopped first but I can't see what is using it.

I just started downloading the eset virus database and i will post the log when it is done along with an update on how it is running.

Also, when I was messing with updating adobe mse noticed something called ?????.opencandy but I didn't have any default setting set yet so it did not grab it.

Just wanted to update you cuz it had been a bit and I know that the eset scan can take awhile.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: slow infected laptop
« Reply #5 on: July 12, 2012, 12:45:34 AM »
No problem.  Family first and I've been keeping myself occupied.  :)

You could try uninstalling Adobe Reader 8, restart and then download the latest version.

Since System File Checker found corrupt files, I'd like you to run it again after a fresh restart.  If after three runs of SFC, it continues finding corrupt files, we'll engage niermiro's help.  He is good helping with that as well! 

I believe you said at Sysnative that tomorrow is back to an "on" schedule so don't worry if everything isn't completed right away.  I won't forget about you!


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: slow infected laptop
« Reply #6 on: July 12, 2012, 11:49:47 AM »
Good morning Corrine,

I ran the ESET scan twice but each time it and the laptop froze up and the scan stopped at 46% with the following detected:

Win32/toolbar.Zugo application
A Variant of win32/adware.Yontoo.B application
A Variant of win32/adware.Yontoo.A application
A Variant of win32/hidden.A application

Both times I had to power it down by holding down the power button.

Also,I did not have time yet to rerun the sfc scan a second or third time to see if it gave the same message about corrupted files. Will have to get to that after work tonight.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: slow infected laptop
« Reply #7 on: July 12, 2012, 12:09:52 PM »
Hi, 4on4off.

I missed Yontoo. Please uninstall Yontoo Layers Runtime (Drop Down Deals) 1.10.01.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: slow infected laptop
« Reply #8 on: July 13, 2012, 01:28:22 AM »
Hello Corrine,

Just got home from work. I couldn't stand it so I called my kid and had him check the forum. He uninstalled Yontoo and I had him run the ESET scan again. It has been going for 4 hours now and has picked up 7 infections. It is still at the 46% mark again but it has scanned more files this time and is still counting. Just thought I would give you an update.

4

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: slow infected laptop
« Reply #9 on: July 13, 2012, 03:31:35 AM »
It seems to be cruising thru the files now. It is sitting at 50% complete but I know she has a ton of stuff on this laptop so I will let it run and check it in the morning.

4

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: slow infected laptop
« Reply #10 on: July 13, 2012, 03:51:21 AM »
well, I turned around and it was done. Here is he log:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=625d30c37a4ad24b8d4ac254655225bb
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-07-13 04:43:58
# local_time=2012-07-13 12:43:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 59754978 178738981 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=293409
# found=7
# cleaned=0
# scan_time=23182
C:\Program Files\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe   a variant of Win32/HiddenStart.A application (unable to clean)   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir   Win32/Toolbar.Zugo application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\cnet_FacadeInstaller103p_exe.exe   a variant of Win32/InstallCore.D application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\flstudio_10.0.9.exe   Win32/OpenCandy application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\installer_adobe_premiere_pro_1_5_English.exe   Win32/Toggle application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\MindQuizSetup.exe   Win32/Toolbar.Zugo application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\She_Wants_Revenge_-_Valleyheart_(2011)_mediaget.exe   a variant of Win32/MediaGet application (unable to clean)   00000000000000000000000000000000   I

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: slow infected laptop
« Reply #11 on: July 13, 2012, 04:33:13 PM »
Hi, 4on4off.

Since your niece is using the sidebar gadget, please see Microsoft Security Advisory 2719662, Gadget Vulnerability.

This is the second time in two days that an ESET scan has detected DataSafe.  It appears to be a f/p.  The Qoobox are items in ComboFix quarantine.  The remaining items are in the downloads folder and can be deleted from there:

C:\Users\Aaliyah Kilbourne\Downloads\cnet_FacadeInstaller103p_exe.exe
C:\Users\Aaliyah Kilbourne\Downloads\flstudio_10.0.9.exe
C:\Users\Aaliyah Kilbourne\Downloads\installer_adobe_premiere_pro_1_5_English.exe
C:\Users\Aaliyah Kilbourne\Downloads\MindQuizSetup.exe   
C:\Users\Aaliyah Kilbourne\Downloads\She_Wants_Revenge_-_Valleyheart_(2011)_mediaget.exe
 

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
Folder::
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaGet2"=
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.





Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: slow infected laptop
« Reply #12 on: July 14, 2012, 04:51:27 AM »


Quote
Hi, 4on4off.

Since your niece is using the sidebar gadget, please see Microsoft Security Advisory 2719662, Gadget Vulnerability.

This is the second time in two days that an ESET scan has detected DataSafe.  It appears to be a f/p.  The Qoobox are items in ComboFix quarantine.  The remaining items are in the downloads folder and can be deleted from there:

C:\Users\Aaliyah Kilbourne\Downloads\cnet_FacadeInstaller103p_exe.exe
C:\Users\Aaliyah Kilbourne\Downloads\flstudio_10.0.9.exe
C:\Users\Aaliyah Kilbourne\Downloads\installer_adobe_premiere_pro_1_5_English.exe
C:\Users\Aaliyah Kilbourne\Downloads\MindQuizSetup.exe   
C:\Users\Aaliyah Kilbourne\Downloads\She_Wants_Revenge_-_Valleyheart_(2011)_mediaget.exe 


Hello Corrine,

Been a long day, waaaay too hot for me.

I deleted the above items per your intructions. I ran the script, Here is the log:

ComboFix 12-07-13.03 - Aaliyah Kilbourne 07/14/2012   1:15.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3034.1798 [GMT -4:00]
Running from: c:\users\Aaliyah Kilbourne\Desktop\ComboFix.exe
Command switches used :: c:\users\Aaliyah Kilbourne\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\chrome.manifest
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\chrome\content\mg_ffext.js
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\chrome\content\mg_ffext.xul
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\components\img_ffext.xpt
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\components\mg_ffext.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\install.rdf
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\imageformats\qgif4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\imageformats\qjpeg4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\imageformats\qmng4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\libeay32.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget-admin-proxy.exe
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mgiehook.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\parameters.txt
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\phonon_backend\phonon_vlc.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\phonon4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\QtCore4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\QtGui4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\QtNetwork4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\QtXml4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\ssleay32.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\unins000.dat
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\unins000.exe
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\unins000.msg
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-14 to 2012-07-14  )))))))))))))))))))))))))))))))
.
.
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\Aaliyah Kilbourne\AppData\Local\temp
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\RA Media Server\AppData\Local\temp
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\Mcx1\AppData\Local\temp
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\Aaliyah\AppData\Local\temp
2012-07-14 05:10 . 2012-07-14 05:10   29904   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90C66F98-EE48-4A15-9609-95F68034C9EC}\MpKsl81271db7.sys
2012-07-14 05:09 . 2012-07-14 05:09   56200   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90C66F98-EE48-4A15-9609-95F68034C9EC}\offreg.dll
2012-07-14 04:56 . 2012-06-18 07:14   6762896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90C66F98-EE48-4A15-9609-95F68034C9EC}\mpengine.dll
2012-07-12 22:17 . 2012-06-18 07:14   6762896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-12 00:58 . 2012-07-12 00:58   --------   d-----w-   c:\program files\Common Files\Java
2012-07-12 00:57 . 2012-07-12 00:57   --------   d-----w-   c:\program files\Oracle
2012-07-12 00:56 . 2012-05-04 23:29   772504   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-07-11 21:11 . 2012-06-13 13:40   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-07-11 20:53 . 2012-06-05 16:47   708608   ----a-w-   c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 20:53 . 2012-06-05 16:47   1401856   ----a-w-   c:\windows\system32\msxml6.dll
2012-07-11 20:53 . 2012-06-05 16:47   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-11 20:53 . 2012-06-04 15:26   440704   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-07-11 20:53 . 2012-06-02 00:04   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-07-11 20:53 . 2012-06-02 00:03   204288   ----a-w-   c:\windows\system32\ncrypt.dll
2012-07-11 20:33 . 2012-02-09 18:17   713784   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{386D93B8-F4E5-45D7-A17C-B974A0F47A5B}\gapaengine.dll
2012-07-11 20:24 . 2012-07-11 20:25   --------   d-----w-   c:\program files\Microsoft Security Client
2012-07-11 20:23 . 2010-04-05 20:00   221568   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-07-11 19:52 . 2012-07-11 19:52   --------   d-----w-   c:\program files\VS Revo Group
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Malwarebytes
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\programdata\Malwarebytes
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-07-11 17:37 . 2012-04-04 19:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-07-03 09:26 . 2012-06-02 22:19   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-07-03 09:26 . 2012-06-02 22:19   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-07-03 09:26 . 2012-06-02 22:12   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-07-03 09:26 . 2012-06-02 22:19   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-07-03 09:24 . 2012-06-02 22:19   35864   ----a-w-   c:\windows\system32\wups.dll
2012-07-03 09:24 . 2012-06-02 22:19   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-07-03 09:24 . 2012-06-02 22:12   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-07-03 09:23 . 2012-06-02 19:19   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-07-03 09:23 . 2012-06-02 19:12   33792   ----a-w-   c:\windows\system32\wuapp.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-15 06:37 . 2012-06-12 20:56   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-05-15 06:32 . 2012-06-12 20:55   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-05-15 06:32 . 2012-06-12 20:56   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-05-15 06:31 . 2012-06-12 20:55   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2012-05-15 06:31 . 2012-06-12 20:55   71680   ----a-w-   c:\windows\system32\iesetup.dll
2012-05-15 05:01 . 2012-06-12 20:56   385024   ----a-w-   c:\windows\system32\html.iec
2012-05-15 03:26 . 2012-06-12 20:55   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-05-15 03:23 . 2012-06-12 20:55   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2012-05-01 14:03 . 2012-06-12 20:38   180736   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00 . 2012-06-12 20:58   984064   ----a-w-   c:\windows\system32\crypt32.dll
2012-04-23 16:00 . 2012-06-12 20:58   133120   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-04-23 16:00 . 2012-06-12 20:58   98304   ----a-w-   c:\windows\system32\cryptnet.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Facebook Update"="c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-01 217088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-01 483428]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
.
c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Remote Access.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
backup=c:\windows\pss\Dell Remote Access.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Aaliyah Kilbourne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Aaliyah Kilbourne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-10-29 03:33   3292248   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-13 06:29   47392   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28   59240   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2010-09-15 11:12   281744   ----a-w-   c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-11-13 21:15   1807600   ----a-w-   c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 23:16   454784   ----a-w-   c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-07-11 21:22   138096   ----atw-   c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-20 03:54   136176   ----atw-   c:\users\Aaliyah Kilbourne\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24   54840   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 23:05   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 17:18   205336   ----a-w-   c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12   3872080   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-10-25 01:34   2923192   ----a-w-   c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 02:26   128232   ------w-   c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-02-29 12:55   17148552   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2012-07-11 16:55   7609560   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-11 16:55   1192664   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 15:07   252296   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44   85160   ----a-w-   c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23   1008184   ----a-w-   c:\program files\Windows Defender\MSASCui.exe
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe

.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL81271DB7
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
Akamai   REG_MULTI_SZ      Akamai
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4143027877-4185091322-3881734219-1000Core.job
- c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-10 21:22]
.
2012-07-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4143027877-4185091322-3881734219-1000UA.job
- c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-10 21:22]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143027877-4185091322-3881734219-1000Core.job
- c:\users\Aaliyah Kilbourne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-20 03:54]
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143027877-4185091322-3881734219-1000UA.job
- c:\users\Aaliyah Kilbourne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-20 03:54]
.
2012-07-14 c:\windows\Tasks\User_Feed_Synchronization-{6FE96B10-E20B-4E69-8FA4-D59D7FAF518A}.job
- c:\windows\system32\msfeedssync.exe [2012-06-12 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MediaGet2 - c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe
MSConfigStartUp-MediaGet2 - c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe
AddRemove-{9193306E-5935-47E0-B458-2548778C1614}_is1 - c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-14 01:29
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(768)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-07-14  01:32:01
ComboFix-quarantined-files.txt  2012-07-14 05:31
ComboFix2.txt  2012-07-11 23:23
.
Pre-Run: 56,675,319,808 bytes free
Post-Run: 56,637,390,848 bytes free
.
- - End Of File - - 58B680E69B4609359030EBE375D4B49B

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: slow infected laptop
« Reply #13 on: July 14, 2012, 12:49:29 PM »
Hi, 4on4off.

How is your niece's computer?  Also, is Microsoft Security Essentials updating?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: slow infected laptop
« Reply #14 on: July 14, 2012, 05:13:48 PM »
Hello Corrine,

Sorry, I followed your suggestions last couple go arounds but forgot to give you an update on how it is running.

I just fired it up and bounced around to a few sites, it is responding alot faster when opening a browser and moving from site to site. I pulled up some videos and they seems to run fine although I do not know how that was behaving before.

I upon MSE and it says it is up to date and when I update it manually it seems to do fine.

I noticed she had the volume on mute. There is a noise in the background but I think it has to do with the key board having something spilled on it. Whenever I log on the / key repeats like it is being pressed. I knew keyboard is on the way and I will try to replace that. Hopefully there is no damage below.

4