Text only | Text with Images

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: 4on4off on July 11, 2012, 09:55:38 PM

Title: slow infected laptop
Post by: 4on4off on July 11, 2012, 09:55:38 PM
Hello,

My niece's Dell Inspiron 1545 is running vista home premium 32bit. was complaining about it being sluggish and slow to boot.
I deselected several unecessary start up items and ran mwb in safemode which founds 264 items. Mainly pup.mywebsearch or the like along with a few trojans - BHO and Dropper. I did save the log if needed.

I also removed utorrent and frostwire along wih a few extra toolbars.

Here is the checkup.txt:

Results of screen317's Security Check version 0.99.42 
Windows Vista Service Pack 2 x86 (UAC is enabled) 
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled! 
Microsoft Security Essentials   
  (On Access scanning disabled!)
Error obtaining update status for antivirus! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
Malwarebytes Anti-Malware version 1.61.0.1400 
TuneUp Companion 1.9.0   
Java(TM) 6 Update 30 
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player    11.1.102.62 
Adobe Reader 8 Adobe Reader out of Date!
Google Chrome 19.0.1084.46 
Google Chrome 19.0.1084.56 
````````Process Check: objlist.exe by Laurent````````[/u] 
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 9 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````[/u]

Here is the the dds.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19272
Run by Aaliyah Kilbourne at 17:25:59 on 2012-07-11
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3034.1550 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Dell\apache\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\BBSvc.EXE
C:\Program Files\Common Files\Dell\apache\bin\httpd.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Dell\MySQL\bin\mysqld.exe
C:\Program Files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe
C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
c:\Program Files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\sminst\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\windows\SMINST\Components\scheduler\STService.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No File
BHO: Yontoo Layers (Drop Down Deals): {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime (drop down deals)\YontooIEClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: HyperCam Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\hypercam toolbar\tbcore3.dll
TB: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files\somototoolbar\vmntemplateX.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [MediaGet2] c:\users\aaliyah kilbourne\appdata\local\mediaget2\mediaget.exe --minimized
uRun: [Facebook Update] "c:\users\aaliyah kilbourne\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Launcher] %WINDIR%\SMINST\Components\scheduler\Launcher.exe
StartupFolder: c:\users\aaliya~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www.freerealms.com/gamedata/FreeRealmsInstaller.cab
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.com:88/renderer/mabiweb.2009.4.9.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{78C7D670-D03A-4507-9331-32218139DE48} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CA751E5C-C08C-47DD-B897-54EEB75B4976} : DhcpNameServer = 65.32.5.111 65.32.5.112
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f6ef8056\AEstSrv.exe [2009-6-20 81920]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 Apache2.2;Remote Access Media Server;c:\program files\common files\dell\apache\bin\httpd.exe [2007-9-21 15872]
R2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 dsl-db;Remote Access DB;c:\program files\common files\dell\mysql\bin\mysqld.exe [2007-9-14 5730304]
R2 dsl-fs-sync;Remote Access File Sync Service;c:\program files\common files\dell\remote access file sync service\dsl_fs_sync.exe [2009-1-5 173296]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-8-27 1253376]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 SftService;SoftThinks Agent Service;c:\windows\sminst\SftService.exe [2009-6-20 632048]
R3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-7 54632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-20 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-20 40552]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\dellsu~1\hwdiag\bin\PCD5SRVC.pkms [2008-11-4 22904]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusb.sys [2002-2-20 70016]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2012-07-11 21:11:37   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-07-11 20:53:35   708608   ----a-w-   c:\program files\common files\system\ado\msado15.dll
2012-07-11 20:53:30   1401856   ----a-w-   c:\windows\system32\msxml6.dll
2012-07-11 20:53:30   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-11 20:53:26   440704   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-07-11 20:53:25   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-07-11 20:53:25   204288   ----a-w-   c:\windows\system32\ncrypt.dll
2012-07-11 20:33:17   713784   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{386d93b8-f4e5-45d7-a17c-b974a0f47a5b}\gapaengine.dll
2012-07-11 20:31:53   6762896   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{888545ff-08f0-4a11-8c19-1b917058edf2}\mpengine.dll
2012-07-11 20:24:15   --------   d-----w-   c:\program files\Microsoft Security Client
2012-07-11 20:23:17   221568   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-07-11 19:52:58   --------   d-----w-   c:\program files\VS Revo Group
2012-07-11 17:37:36   --------   d-----w-   c:\users\aaliyah kilbourne\appdata\roaming\Malwarebytes
2012-07-11 17:37:32   --------   d-----w-   c:\programdata\Malwarebytes
2012-07-11 17:37:31   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-07-11 17:37:31   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-07-11 17:07:08   --------   d-----w-   c:\windows\pss
2012-07-03 09:26:18   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-07-03 09:24:39   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-07-03 09:23:47   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-07-03 09:23:47   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-12 20:58:54   984064   ----a-w-   c:\windows\system32\crypt32.dll
2012-06-12 20:58:37   133120   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-06-12 20:58:25   98304   ----a-w-   c:\windows\system32\cryptnet.dll
2012-06-12 20:55:59   197632   ----a-w-   c:\program files\internet explorer\IEShims.dll
2012-06-12 20:55:59   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-12 20:55:58   71680   ----a-w-   c:\windows\system32\iesetup.dll
2012-06-12 20:55:58   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-06-12 20:55:58   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2012-06-12 20:55:53   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-12 20:38:48   180736   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
.
==================== Find3M  ====================
.
2012-05-15 06:37:49   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-05-15 06:32:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-05-15 05:01:56   385024   ----a-w-   c:\windows\system32\html.iec
.
============= FINISH: 17:27:13.10 ===============


Here is the attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 6/19/2009 6:58:39 PM
System Uptime: 7/11/2012 5:16:07 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0G848F
Processor: Celeron(R) Dual-Core CPU       T3000  @ 1.80GHz | Microprocessor | 1795/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 218 GiB total, 44.667 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 15 GiB total, 8.871 GiB free.
F: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: Screaming Bee Audio
Device ID: ROOT\MEDIA\0000
Manufacturer: Screaming Bee
Name: Screaming Bee Audio
PNP Device ID: ROOT\MEDIA\0000
Service: SCREAMINGBDRIVER
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
4500_G510af_Help
4500G510af
4500G510af_Software_Min
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8
Adobe Shockwave Player 11.5
Akamai NetSession Interface
Akamai NetSession Interface Service
Amnesia - The Dark Descent
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
AVS Update Manager 1.0
Bing Bar
Bonjour
BufferChm
CameraHelperMsi
Carbonite Online Backup Setup
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conduit Engine
Corel Graphics - Windows Shell Extension
Dell-eBay
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Dock
Dell Edoc Viewer
Dell Getting Started Guide
Dell Remote Access
Dell Support Center (Support Software)
Dell Touchpad
Dell Wireless WLAN Card Utility
Destinations
DeviceDiscovery
DivX Plus Web Player
DocMgr
DocProc
Drivers Install For Linksys Easylink Advisor
EA Download Manager
erLT
Facebook Video Calling 1.2.0.159
Fax
Façade
Firebird SQL Server - MAGIX Edition
FL Studio 10
Google Chrome
GoToAssist 8.0.0.514
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
HP Customer Participation Program 13.0
HP Document Manager 2.0
HP Imaging Device Functions 13.0
HP Officejet 4500 G510a-f
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPProductAssistant
HPSSupply
HyperCam Toolbar
IL Download Manager
IMVU Avatar Chat Software
Instant Play Guitar Express
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java(TM) 6 Update 30
Junk Mail filter update
Katawa Shoujo
Linksys EasyLink Advisor 1.6 (0032)
Logitech Vid HD
Logitech Webcam Software
Love & Order
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Magic ISO Maker v5.5 (build 0281)
MAGIX Screenshare
MAGIX Speed 2 (MSI)
Malwarebytes Anti-Malware version 1.61.0.1400
MarketResearch
MediaGet2 version 2.1.538.0
MediaGet2 version 2.1.716.0
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Studio Tools for Applications 2.0 Runtime
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Works
Microsoft WSE 3.0 Runtime
Microsoft XNA Framework Redistributable 3.0
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Game Studio 3.1
Microsoft XNA Game Studio 3.1 (ARP entry)
Microsoft XNA Game Studio 3.1 (Platformer)
Microsoft XNA Game Studio 3.1 (Redists)
Microsoft XNA Game Studio 3.1 (Shared Components)
Microsoft XNA Game Studio 3.1 (VCSExpress)
Microsoft XNA Game Studio 3.1 (XnaLiveProxy)
Microsoft XNA Game Studio 3.1 Documentation
Microsoft XNA Game Studio Platform Tools
Mobile Broadband Generic Drivers
MobileMe Control Panel
MorphVOX Pro
MP3 Rocket FileBulldog Toolbar
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Coach Player
My Magical Cosplay Cafe 1.0
Nancy Drew: The Curse of Blackmoor Manor
OCR Software by I.R.I.S. 13.0
OGA Notifier 2.0.0048.0
ooVoo
OpenOffice.org 3.1
osu!
Pando Media Booster
PESTERCHUM
PowerDVD DX
QuickSet
QuickTime
RE: Alistair++ 1
Revo Uninstaller 1.94
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Safari
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Shop for HP Supplies
Skype Click to Call
Skype™ 5.8
SmartWebPrinting
SolutionCenter
Spotify
SQL Server System CLR Types
Status
TalkAndWrite
Text-To-Speech-Runtime
The Sims Medieval
The Sims™ 3
The Sims™ 3 World Adventures
ToggleEN Toolbar
Toolbox
TrayApp
TuneUp Companion 1.9.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VC80CRTRedist - 8.0.50727.4053
video-processor
Virtual DJ - Atomix Productions
VirtualCloneDrive
VLC media player 1.0.3
WebReg
WhiteBoardMeeting
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
Yontoo Layers Runtime (Drop Down Deals) 1.10.01
.
==== Event Viewer Messages From Past Week ========
.
7/5/2012 2:24:04 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
7/11/2012 5:22:16 PM, Error: netbt [4321]  - The name "SCOTT-PC       :0" could not be registered on the interface with IP address 192.168.2.150. The computer with the IP address 192.168.2.148 did not allow the name to be claimed by this computer.
7/11/2012 5:19:15 PM, Error: Service Control Manager [7000]  - The Intel(R) PRO/1000 PCI Express Network Connection Driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/11/2012 5:19:15 PM, Error: Service Control Manager [7000]  - The Intel(R) PRO/1000 NDIS 6 Adapter Driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/11/2012 5:19:15 PM, Error: Service Control Manager [7000]  - The Instant Wireless USB Network Adapter ver.2.6 Driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/11/2012 5:02:25 PM, Error: netbt [4321]  - The name "JILL-PC        :0" could not be registered on the interface with IP address 192.168.2.150. The computer with the IP address 192.168.2.147 did not allow the name to be claimed by this computer.
7/11/2012 4:29:27 PM, Error: VDS Dynamic Provider [10]  - The provider failed while storing notifications from the driver. The Virtual Disk Service should be restarted. hr=80042505
7/11/2012 3:49:43 PM, Error: netbt [4321]  - The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.2.150. The computer with the IP address 192.168.2.148 did not allow the name to be claimed by this computer.
7/11/2012 3:46:00 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/11/2012 3:45:59 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/11/2012 3:45:30 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
7/11/2012 3:45:29 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/11/2012 3:45:22 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/11/2012 3:44:46 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
7/11/2012 3:42:44 PM, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
7/11/2012 3:42:02 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  ElbyCDIO spldr Wanarpv6
7/11/2012 3:42:02 PM, Error: Service Control Manager [7001]  - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
7/11/2012 3:42:02 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
7/11/2012 3:41:01 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000]  - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv.dll Error Code: 21
7/11/2012 3:40:44 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048]  - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
7/11/2012 3:40:44 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
7/11/2012 12:49:30 PM, Error: EventLog [6008]  - The previous system shutdown at 12:46:17 PM on 7/11/2012 was unexpected.
7/11/2012 12:46:18 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
7/11/2012 1:20:55 PM, Error: Service Control Manager [7043]  - The Windows Update service did not shut down properly after receiving a preshutdown control.
7/11/2012 1:11:50 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Akamai service.
.
==== End Of File ===========================

sheesh, that took awhile cuz her keyboard had something spilled on it so some keys are sticky and some don't work.lol

anyway, also for some reason everytime it boots I get the beeping noise and it wants me to the os, only one is listed.

Thank you for any assistance.

4




Title: Re: slow infected laptop
Post by: Corrine on July 11, 2012, 10:41:22 PM
Hi, 4on4off.

Holy toolbars!  I see remnants of what you've removed.  The remnants will be dealt with.  I suggest removing the following:

Conduit Engine -- adware/trackware
GoToAssist 8.0.0.514 -- Remote assistance software.  Since the Dell is out of warranty, I suggest removing.
ooVoo -- detected by ESET's Nod32 antivirus as Win32/Adware.Toolbar.Visicom
ToggleEN Toolbar -- adware, part of Conduit family

We'll look at the outdated programs a bit later.  It is very possible that you are being asked to select an OS because of damage due to the spill.

Please follow these instructions carefully.

Download ComboFix from the following location:   Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html).

Now, please run ComboFix:
Title: Re: slow infected laptop
Post by: 4on4off on July 11, 2012, 11:28:27 PM
Corrine,

Here is he combofix log:

ComboFix 12-07-11.03 - Aaliyah Kilbourne 07/11/2012  19:09:41.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3034.1715 [GMT -4:00]
Running from: c:\users\Aaliyah Kilbourne\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\HyperCam Toolbar\tbCOre3.dll
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\program files\somototoolbar\vmNTemplatex.dll
c:\users\Aaliyah Kilbourne\AppData\Local\Microsoft\Windows\Temporary Internet Files\CuJBD__vO1_
c:\users\Aaliyah Kilbourne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Gdf_4LN6OcVOIYM
c:\users\Aaliyah Kilbourne\AppData\Local\Microsoft\Windows\Temporary Internet Files\kSyI1AQ_-P7_
c:\users\Public\AkamaiDownloadManagerInstaller.exe
c:\users\Public\kSolo_Install1_2_1_41.exe
c:\users\Public\MorphVOXPro4_Install-1.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\212aa8d2.dll
c:\windows\system32\d7998c4.dll
E:\AUTORUN.INF
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-11 to 2012-07-11  )))))))))))))))))))))))))))))))
.
.
2012-07-11 23:20 . 2012-07-11 23:20   --------   d-----w-   c:\users\Aaliyah Kilbourne\AppData\Local\temp
2012-07-11 21:58 . 2012-06-18 07:14   6762896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAAB4DE5-C23F-488B-BC91-DE617A5E96B8}\mpengine.dll
2012-07-11 21:11 . 2012-06-13 13:40   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-07-11 20:53 . 2012-06-05 16:47   708608   ----a-w-   c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 20:53 . 2012-06-05 16:47   1401856   ----a-w-   c:\windows\system32\msxml6.dll
2012-07-11 20:53 . 2012-06-05 16:47   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-11 20:53 . 2012-06-04 15:26   440704   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-07-11 20:53 . 2012-06-02 00:04   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-07-11 20:53 . 2012-06-02 00:03   204288   ----a-w-   c:\windows\system32\ncrypt.dll
2012-07-11 20:33 . 2012-02-09 18:17   713784   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{386D93B8-F4E5-45D7-A17C-B974A0F47A5B}\gapaengine.dll
2012-07-11 20:24 . 2012-07-11 20:25   --------   d-----w-   c:\program files\Microsoft Security Client
2012-07-11 20:23 . 2010-04-05 20:00   221568   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-07-11 19:52 . 2012-07-11 19:52   --------   d-----w-   c:\program files\VS Revo Group
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Malwarebytes
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\programdata\Malwarebytes
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-07-11 17:37 . 2012-04-04 19:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-07-03 09:26 . 2012-06-02 22:19   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-07-03 09:26 . 2012-06-02 22:19   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-07-03 09:26 . 2012-06-02 22:12   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-07-03 09:26 . 2012-06-02 22:19   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-07-03 09:24 . 2012-06-02 22:19   35864   ----a-w-   c:\windows\system32\wups.dll
2012-07-03 09:24 . 2012-06-02 22:19   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-07-03 09:24 . 2012-06-02 22:12   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-07-03 09:23 . 2012-06-02 19:19   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-07-03 09:23 . 2012-06-02 19:12   33792   ----a-w-   c:\windows\system32\wuapp.exe
2012-06-12 20:58 . 2012-04-23 16:00   984064   ----a-w-   c:\windows\system32\crypt32.dll
2012-06-12 20:58 . 2012-04-23 16:00   133120   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-06-12 20:58 . 2012-04-23 16:00   98304   ----a-w-   c:\windows\system32\cryptnet.dll
2012-06-12 20:55 . 2012-05-15 06:31   197632   ----a-w-   c:\program files\Internet Explorer\IEShims.dll
2012-06-12 20:55 . 2012-05-15 03:26   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-12 20:55 . 2012-05-15 06:32   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-06-12 20:55 . 2012-05-15 06:31   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2012-06-12 20:55 . 2012-05-15 06:31   71680   ----a-w-   c:\windows\system32\iesetup.dll
2012-06-12 20:55 . 2012-05-15 03:23   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-12 20:38 . 2012-05-01 14:03   180736   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"MediaGet2"="c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe" [2011-06-29 6841576]
"Facebook Update"="c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-01 217088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-01 483428]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
.
c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Remote Access.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
backup=c:\windows\pss\Dell Remote Access.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Aaliyah Kilbourne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Aaliyah Kilbourne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-10-29 03:33   3292248   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-13 06:29   47392   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28   59240   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2010-09-15 11:12   281744   ----a-w-   c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-11-13 21:15   1807600   ----a-w-   c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 23:16   454784   ----a-w-   c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-07-11 21:22   138096   ----atw-   c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-20 03:54   136176   ----atw-   c:\users\Aaliyah Kilbourne\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24   54840   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 23:05   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 17:18   205336   ----a-w-   c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGet2]
2011-06-29 16:53   6841576   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12   3872080   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-10-25 01:34   2923192   ----a-w-   c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 02:26   128232   ------w-   c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-02-29 12:55   17148552   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2012-07-11 16:55   7609560   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-11 16:55   1192664   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44   85160   ----a-w-   c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23   1008184   ----a-w-   c:\program files\Windows Defender\MSASCui.exe
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
Title: Re: slow infected laptop
Post by: Corrine on July 11, 2012, 11:59:25 PM
You're right.  ComboFix certainly lifted quite a load off that machine.

Regarding being asked to select an OS, let's see if System File Checker helps. 

To determine whether the issue that you are experiencing is caused by one or more system files that are used by Windows, run the System File Checker tool. The System File Checker tool scans system files and replaces incorrect versions of the system files by using the correct versions.

To run the System File Checker tool, follow these steps:


Let's get Adobe Reader and Java updated.

The current version of Adobe Reader is available at http://get.adobe.com/reader/.  Be sure to UNcheck the offered McAfee scan.  It is not needed.

For Java, please uninstall Java 6 and download JRE7u5 from http://www.oracle.com/technetwork/java/javase/downloads/index.html (Watch for unwanted extras with Java too!)



Please go here (http://www.eset.com/onlinescan/) to run an on-line scan from ESET.
Title: Re: slow infected laptop
Post by: 4on4off on July 12, 2012, 01:08:13 AM
Sorry for the delay, I had to run my kid across town.

I ran the sfc scan and it found some corrupted files, I saved a snip it and the log in case you want to see them.

I got java updated but when I tried to update adobe it said something was using adobe8 and needed to be stopped first but I can't see what is using it.

I just started downloading the eset virus database and i will post the log when it is done along with an update on how it is running.

Also, when I was messing with updating adobe mse noticed something called ?????.opencandy but I didn't have any default setting set yet so it did not grab it.

Just wanted to update you cuz it had been a bit and I know that the eset scan can take awhile.

4
Title: Re: slow infected laptop
Post by: Corrine on July 12, 2012, 01:45:34 AM
No problem.  Family first and I've been keeping myself occupied.  :)

You could try uninstalling Adobe Reader 8, restart and then download the latest version.

Since System File Checker found corrupt files, I'd like you to run it again after a fresh restart.  If after three runs of SFC, it continues finding corrupt files, we'll engage niermiro's help.  He is good helping with that as well! 

I believe you said at Sysnative that tomorrow is back to an "on" schedule so don't worry if everything isn't completed right away.  I won't forget about you!
Title: Re: slow infected laptop
Post by: 4on4off on July 12, 2012, 12:49:47 PM
Good morning Corrine,

I ran the ESET scan twice but each time it and the laptop froze up and the scan stopped at 46% with the following detected:

Win32/toolbar.Zugo application
A Variant of win32/adware.Yontoo.B application
A Variant of win32/adware.Yontoo.A application
A Variant of win32/hidden.A application

Both times I had to power it down by holding down the power button.

Also,I did not have time yet to rerun the sfc scan a second or third time to see if it gave the same message about corrupted files. Will have to get to that after work tonight.

4
Title: Re: slow infected laptop
Post by: Corrine on July 12, 2012, 01:09:52 PM
Hi, 4on4off.

I missed Yontoo. Please uninstall Yontoo Layers Runtime (Drop Down Deals) 1.10.01.
Title: Re: slow infected laptop
Post by: 4on4off on July 13, 2012, 02:28:22 AM
Hello Corrine,

Just got home from work. I couldn't stand it so I called my kid and had him check the forum. He uninstalled Yontoo and I had him run the ESET scan again. It has been going for 4 hours now and has picked up 7 infections. It is still at the 46% mark again but it has scanned more files this time and is still counting. Just thought I would give you an update.

4
Title: Re: slow infected laptop
Post by: 4on4off on July 13, 2012, 04:31:35 AM
It seems to be cruising thru the files now. It is sitting at 50% complete but I know she has a ton of stuff on this laptop so I will let it run and check it in the morning.

4
Title: Re: slow infected laptop
Post by: 4on4off on July 13, 2012, 04:51:21 AM
well, I turned around and it was done. Here is he log:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=625d30c37a4ad24b8d4ac254655225bb
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-07-13 04:43:58
# local_time=2012-07-13 12:43:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 59754978 178738981 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=293409
# found=7
# cleaned=0
# scan_time=23182
C:\Program Files\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe   a variant of Win32/HiddenStart.A application (unable to clean)   00000000000000000000000000000000   I
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir   Win32/Toolbar.Zugo application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\cnet_FacadeInstaller103p_exe.exe   a variant of Win32/InstallCore.D application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\flstudio_10.0.9.exe   Win32/OpenCandy application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\installer_adobe_premiere_pro_1_5_English.exe   Win32/Toggle application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\MindQuizSetup.exe   Win32/Toolbar.Zugo application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Aaliyah Kilbourne\Downloads\She_Wants_Revenge_-_Valleyheart_(2011)_mediaget.exe   a variant of Win32/MediaGet application (unable to clean)   00000000000000000000000000000000   I
Title: Re: slow infected laptop
Post by: Corrine on July 13, 2012, 05:33:13 PM
Hi, 4on4off.

Since your niece is using the sidebar gadget, please see Microsoft Security Advisory 2719662, Gadget Vulnerability (http://securitygarden.blogspot.com/2012/07/microsoft-security-advisory-2719662.html).

This is the second time in two days that an ESET scan has detected DataSafe.  It appears to be a f/p.  The Qoobox are items in ComboFix quarantine.  The remaining items are in the downloads folder and can be deleted from there:

C:\Users\Aaliyah Kilbourne\Downloads\cnet_FacadeInstaller103p_exe.exe
C:\Users\Aaliyah Kilbourne\Downloads\flstudio_10.0.9.exe
C:\Users\Aaliyah Kilbourne\Downloads\installer_adobe_premiere_pro_1_5_English.exe
C:\Users\Aaliyah Kilbourne\Downloads\MindQuizSetup.exe   
C:\Users\Aaliyah Kilbourne\Downloads\She_Wants_Revenge_-_Valleyheart_(2011)_mediaget.exe 

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Code Select

Folder::
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MediaGet2"=

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Title: Re: slow infected laptop
Post by: 4on4off on July 14, 2012, 05:51:27 AM


QuoteHi, 4on4off.

Since your niece is using the sidebar gadget, please see Microsoft Security Advisory 2719662, Gadget Vulnerability.

This is the second time in two days that an ESET scan has detected DataSafe.  It appears to be a f/p.  The Qoobox are items in ComboFix quarantine.  The remaining items are in the downloads folder and can be deleted from there:

C:\Users\Aaliyah Kilbourne\Downloads\cnet_FacadeInstaller103p_exe.exe
C:\Users\Aaliyah Kilbourne\Downloads\flstudio_10.0.9.exe
C:\Users\Aaliyah Kilbourne\Downloads\installer_adobe_premiere_pro_1_5_English.exe
C:\Users\Aaliyah Kilbourne\Downloads\MindQuizSetup.exe   
C:\Users\Aaliyah Kilbourne\Downloads\She_Wants_Revenge_-_Valleyheart_(2011)_mediaget.exe 

Hello Corrine,

Been a long day, waaaay too hot for me.

I deleted the above items per your intructions. I ran the script, Here is the log:

ComboFix 12-07-13.03 - Aaliyah Kilbourne 07/14/2012   1:15.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3034.1798 [GMT -4:00]
Running from: c:\users\Aaliyah Kilbourne\Desktop\ComboFix.exe
Command switches used :: c:\users\Aaliyah Kilbourne\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\chrome.manifest
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\chrome\content\mg_ffext.js
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\chrome\content\mg_ffext.xul
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\components\img_ffext.xpt
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\components\mg_ffext.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\Firefox\install.rdf
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\imageformats\qgif4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\imageformats\qjpeg4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\imageformats\qmng4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\libeay32.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget-admin-proxy.exe
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mediaget.exe
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\mgiehook.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\parameters.txt
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\phonon_backend\phonon_vlc.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\phonon4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\QtCore4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\QtGui4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\QtNetwork4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\QtXml4.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\ssleay32.dll
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\unins000.dat
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\unins000.exe
c:\users\Aaliyah Kilbourne\AppData\Local\MediaGet2\unins000.msg
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-14 to 2012-07-14  )))))))))))))))))))))))))))))))
.
.
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\Aaliyah Kilbourne\AppData\Local\temp
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\RA Media Server\AppData\Local\temp
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\Mcx1\AppData\Local\temp
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-07-14 05:29 . 2012-07-14 05:29   --------   d-----w-   c:\users\Aaliyah\AppData\Local\temp
2012-07-14 05:10 . 2012-07-14 05:10   29904   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90C66F98-EE48-4A15-9609-95F68034C9EC}\MpKsl81271db7.sys
2012-07-14 05:09 . 2012-07-14 05:09   56200   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90C66F98-EE48-4A15-9609-95F68034C9EC}\offreg.dll
2012-07-14 04:56 . 2012-06-18 07:14   6762896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90C66F98-EE48-4A15-9609-95F68034C9EC}\mpengine.dll
2012-07-12 22:17 . 2012-06-18 07:14   6762896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-12 00:58 . 2012-07-12 00:58   --------   d-----w-   c:\program files\Common Files\Java
2012-07-12 00:57 . 2012-07-12 00:57   --------   d-----w-   c:\program files\Oracle
2012-07-12 00:56 . 2012-05-04 23:29   772504   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-07-11 21:11 . 2012-06-13 13:40   2047488   ----a-w-   c:\windows\system32\win32k.sys
2012-07-11 20:53 . 2012-06-05 16:47   708608   ----a-w-   c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 20:53 . 2012-06-05 16:47   1401856   ----a-w-   c:\windows\system32\msxml6.dll
2012-07-11 20:53 . 2012-06-05 16:47   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-11 20:53 . 2012-06-04 15:26   440704   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-07-11 20:53 . 2012-06-02 00:04   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-07-11 20:53 . 2012-06-02 00:03   204288   ----a-w-   c:\windows\system32\ncrypt.dll
2012-07-11 20:33 . 2012-02-09 18:17   713784   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{386D93B8-F4E5-45D7-A17C-B974A0F47A5B}\gapaengine.dll
2012-07-11 20:24 . 2012-07-11 20:25   --------   d-----w-   c:\program files\Microsoft Security Client
2012-07-11 20:23 . 2010-04-05 20:00   221568   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-07-11 19:52 . 2012-07-11 19:52   --------   d-----w-   c:\program files\VS Revo Group
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Malwarebytes
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\programdata\Malwarebytes
2012-07-11 17:37 . 2012-07-11 17:37   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-07-11 17:37 . 2012-04-04 19:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-07-03 09:26 . 2012-06-02 22:19   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-07-03 09:26 . 2012-06-02 22:19   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-07-03 09:26 . 2012-06-02 22:12   2422272   ----a-w-   c:\windows\system32\wucltux.dll
2012-07-03 09:26 . 2012-06-02 22:19   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-07-03 09:24 . 2012-06-02 22:19   35864   ----a-w-   c:\windows\system32\wups.dll
2012-07-03 09:24 . 2012-06-02 22:19   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-07-03 09:24 . 2012-06-02 22:12   88576   ----a-w-   c:\windows\system32\wudriver.dll
2012-07-03 09:23 . 2012-06-02 19:19   171904   ----a-w-   c:\windows\system32\wuwebv.dll
2012-07-03 09:23 . 2012-06-02 19:12   33792   ----a-w-   c:\windows\system32\wuapp.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-15 06:37 . 2012-06-12 20:56   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-05-15 06:32 . 2012-06-12 20:55   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-05-15 06:32 . 2012-06-12 20:56   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-05-15 06:31 . 2012-06-12 20:55   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2012-05-15 06:31 . 2012-06-12 20:55   71680   ----a-w-   c:\windows\system32\iesetup.dll
2012-05-15 05:01 . 2012-06-12 20:56   385024   ----a-w-   c:\windows\system32\html.iec
2012-05-15 03:26 . 2012-06-12 20:55   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-05-15 03:23 . 2012-06-12 20:55   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2012-05-01 14:03 . 2012-06-12 20:38   180736   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00 . 2012-06-12 20:58   984064   ----a-w-   c:\windows\system32\crypt32.dll
2012-04-23 16:00 . 2012-06-12 20:58   133120   ----a-w-   c:\windows\system32\cryptsvc.dll
2012-04-23 16:00 . 2012-06-12 20:58   98304   ----a-w-   c:\windows\system32\cryptnet.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Facebook Update"="c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-01 217088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-01 483428]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
.
c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell Remote Access.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Dell Remote Access.lnk
backup=c:\windows\pss\Dell Remote Access.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Aaliyah Kilbourne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Aaliyah Kilbourne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Aaliyah Kilbourne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-10-29 03:33   3292248   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-04-13 06:29   47392   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28   59240   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2010-09-15 11:12   281744   ----a-w-   c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-11-13 21:15   1807600   ----a-w-   c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 23:16   454784   ----a-w-   c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-07-11 21:22   138096   ----atw-   c:\users\Aaliyah Kilbourne\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-20 03:54   136176   ----atw-   c:\users\Aaliyah Kilbourne\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24   54840   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 23:05   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 17:18   205336   ----a-w-   c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12   3872080   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-10-25 01:34   2923192   ----a-w-   c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 02:26   128232   ------w-   c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-02-29 12:55   17148552   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2012-07-11 16:55   7609560   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-07-11 16:55   1192664   ----a-w-   c:\users\Aaliyah Kilbourne\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 15:07   252296   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44   85160   ----a-w-   c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23   1008184   ----a-w-   c:\program files\Windows Defender\MSASCui.exe
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
Title: Re: slow infected laptop
Post by: Corrine on July 14, 2012, 01:49:29 PM
Hi, 4on4off.

How is your niece's computer?  Also, is Microsoft Security Essentials updating?
Title: Re: slow infected laptop
Post by: 4on4off on July 14, 2012, 06:13:48 PM
Hello Corrine,

Sorry, I followed your suggestions last couple go arounds but forgot to give you an update on how it is running.

I just fired it up and bounced around to a few sites, it is responding alot faster when opening a browser and moving from site to site. I pulled up some videos and they seems to run fine although I do not know how that was behaving before.

I upon MSE and it says it is up to date and when I update it manually it seems to do fine.

I noticed she had the volume on mute. There is a noise in the background but I think it has to do with the key board having something spilled on it. Whenever I log on the / key repeats like it is being pressed. I knew keyboard is on the way and I will try to replace that. Hopefully there is no damage below.

4
Title: Re: slow infected laptop
Post by: Corrine on July 14, 2012, 07:26:26 PM
That is great news, 4on4off. 

Some additional fine-tuning will help as well.  However, first, let's remove the tools I had you download since they will not be helpful for your niece.  You can remove DDS, Security Check and ESET. 

Next, Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=combofix%40live%2ecom&item_name=ComboFix&no_shipping=0&no_note=1&tax=0&currency_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8).


You may have noticed this entry in the Security Check log:  Total Fragmentation on Drive C: 9 % Defragment your hard drive soon!  With all the additional programs removed, the drive is likely in even greater need of being defragged.  Since this should be a scheduled task, you may want to check when it is scheduled to run -- likely when the computer is shut down.  If that is the case, consider changing the scheduled time. 

As you have already explained to your niece's father the dangers of P2P programs, I won't go into that "lecture".  However, a "think before you click" lecture may be in order.  Please explain to your niece that free programs are not always free as they include some nasty additions.  Remind her to read every screen when installing something, watching for "pre-checked" add-ons.  It is best to stick with the vendor site when selecting a program.

While you have the computer, check that all Microsoft Security Updates have been installed and check the settings for updates. 

Please let me know if you have any questions. 
Title: Re: slow infected laptop
Post by: 4on4off on July 14, 2012, 09:02:16 PM
If have uninstallled the applications as you instructed and I will defrag and check the security updates and let you know.

4
Title: Re: slow infected laptop
Post by: Corrine on July 14, 2012, 10:00:09 PM
Thank you. 
Title: Re: slow infected laptop
Post by: 4on4off on July 15, 2012, 11:15:25 PM
Hi Corrine,

Finally was able to uninstall adobe 8 and install the latest update you link. I checked windows update and there were no new security updates available. I forgot to check installed updates before I started the defrag this morning when I got off work and I didn't want to until it was done. It is still running as I type.

I still get the beeping and choice for os at start up and I ran the sfc a second time and it gave the same error at 89% complete:

"Windows Resource ???? found some corrupted files but was not able to fix all of them"

Once the defrag finishes I will run the sfc scan a third time, hopefully it is done before I go in for my last night shift.

Other than that, just waiting for the keyboard to show up so I can try to replace it.

Thanks for all your help on this.

4
Title: Re: slow infected laptop
Post by: Corrine on July 16, 2012, 01:57:07 AM
Hi, 4on4off.

Although the replacement keyboard may help, I have the feeling the spill did more damage.  If between System File Checker and the new keyboard, the problems continue, I think you'll need to take the CBS log to niermiro at Sysnative.
Title: Re: slow infected laptop
Post by: 4on4off on July 16, 2012, 02:47:47 PM
Hi Corrine,

Thank you again for the help.

4
Title: Re: slow infected laptop
Post by: 4on4off on July 19, 2012, 01:12:44 AM
Hi Corrine,

Just got done replacing the keyboard and that fixed the beeping at start up and selection of os. I ran the sfc scan again and same thing at 89% with the reported corrupted files. Also, when I fired it back up it ran the check disc and did some things along the lines of deleting and replacing this and that.

The thing is running great and I am sure she will be pleased, and my brother especially since he will not have to buy her a new laptop.

I do have one question tho... In the control panel there is a blank icon, I am not sure if it was there before or after the cleaning. Is this something to be too concerned about? Can it be safely deleted?

Thanks again for all your help.

4
Title: Re: slow infected laptop
Post by: Corrine on July 19, 2012, 01:58:28 AM
The cleanup process wouldn't have resulted in a blank icon.  Comparing to the attached screen capture, is anything missing?  If not, try deleting it.
Title: Re: slow infected laptop
Post by: 4on4off on July 19, 2012, 02:06:32 AM
I didn't thinks so..Nothing is missing compared to the screen shot. I only get a create shortcut option with a right click and I can't drag it anywhere.

4
Title: Re: slow infected laptop
Post by: Corrine on July 19, 2012, 01:57:02 PM
If it doesn't delete in normal mode, try safe mode.
Title: Re: slow infected laptop
Post by: 4on4off on July 19, 2012, 10:56:33 PM
Well, I figured to just leave well enough alone. I have returned her laptop to here as it is great working order compared to when I got it. If I come across here and she has it with her I will give safe mode a try.

4
Text only | Text with Images