Major slowdown

[Corrine]

Please go here to run an on-line scan from ESET.

• Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
  
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[the GJ]

Here is the latest Corrine, thanks. Nothing was found, a good sign yes?

ComboFix 11-02-05.01 - Owner 02/08/2011  12:31:48.4.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.663 [GMT -8:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

(((((((((((((((((((((((((   Files Created from 2011-01-08 to 2011-02-08  )))))))))))))))))))))))))))))))
.

2011-02-06 22:23 . 2010-12-21 02:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-06 22:23 . 2011-02-06 22:23   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-02-06 22:23 . 2010-12-21 02:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-02-06 03:00 . 2011-02-06 03:00   --------   d-----w-   c:\program files\Belarc
2011-02-06 03:00 . 2008-02-27 20:49   3840   ----a-w-   c:\windows\system32\drivers\BANTExt.sys
2011-02-06 02:55 . 2011-02-06 02:56   --------   d-----w-   C:\rsit
2011-02-06 02:54 . 2011-02-06 02:54   --------   d-----w-   c:\program files\ERUNT
2011-02-04 18:22 . 2011-02-04 18:37   --------   d-----w-   c:\program files\Windows Live Safety Center
2011-01-28 03:20 . 2011-01-28 03:20   --------   d-----w-   c:\windows\system32\XPSViewer
2011-01-28 03:19 . 2011-01-28 03:19   --------   d-----w-   c:\program files\MSBuild
2011-01-28 03:19 . 2011-01-28 03:19   --------   d-----w-   c:\program files\Reference Assemblies
2011-01-27 02:34 . 2011-01-27 02:34   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2011-01-27 01:54 . 2010-11-02 15:17   40960   -c----w-   c:\windows\system32\dllcache\ndproxy.sys
2011-01-27 01:52 . 2010-09-18 06:53   974848   -c----w-   c:\windows\system32\dllcache\mfc42.dll
2011-01-27 01:52 . 2010-09-18 06:53   953856   -c----w-   c:\windows\system32\dllcache\mfc40u.dll
2011-01-27 01:50 . 2010-08-23 16:12   617472   -c----w-   c:\windows\system32\dllcache\comctl32.dll
2011-01-27 01:45 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
2011-01-26 20:39 . 2011-01-26 20:39   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-01-26 20:25 . 2011-01-26 20:25   --------   d-----w-   c:\program files\Common Files\Adobe
2011-01-26 20:20 . 2011-01-26 20:20   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2011-01-26 20:20 . 2011-01-26 20:39   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2011-01-26 19:39 . 2011-01-26 19:39   --------   d-----w-   c:\program files\PDFArea
2011-01-26 19:39 . 2007-09-14 19:53   518064   ----a-w-   c:\windows\system32\Codejock.SkinFramework.Unicode.v11.2.0.ocx
2011-01-26 19:39 . 2007-09-14 19:53   1746864   ----a-w-   c:\windows\system32\Codejock.CommandBars.Unicode.v11.2.0.ocx
2011-01-26 19:39 . 2006-01-03 22:37   665600   ----a-w-   c:\windows\system32\pdfgenx.ocx
2011-01-24 23:49 . 2011-01-24 23:59   --------   d-----w-   c:\program files\PlanSwift9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2005-07-15 02:08   81920   ----a-w-   c:\windows\system32\isign32.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-09-28 352976]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 20:49   932288   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-10 20:49   35736   ----a-w-   c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 05:17   49152   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-01-27 05:04   1337608   ----a-w-   c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 22:53   141608   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 05:16   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7939:TCP"= 7939:TCP:*:Disabled:PlanSwift

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/30/2010 6:22 PM 56208]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [7/14/2005 8:16 PM 1287296]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 4:46 PM 32856]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 7:59 PM 19472]
S4 ALLN;ALLN;c:\docume~1\Owner\LOCALS~1\Temp\ALLN.exe --> c:\docume~1\Owner\LOCALS~1\Temp\ALLN.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ovd7wa10.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\documents and settings\Owner\Local Settings\Application Data\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-08 12:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-02-08  12:45:03
ComboFix-quarantined-files.txt  2011-02-08 20:44
ComboFix2.txt  2011-02-08 20:04
ComboFix3.txt  2011-02-08 19:39
ComboFix4.txt  2011-02-07 04:43

Pre-Run: 57,609,179,136 bytes free
Post-Run: 57,596,764,160 bytes free

- - End Of File - - 25C86AF5E384DC4B52F90F7F39412D54

[Corrine]

Is your computer still slow?  If so, please do the online scan I requested:

Please go here to run an on-line scan from ESET.

• Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
  
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic and also let me know how things are now.

Thanks!

[the GJ]

The computer is humming right along now, thanks to you Corrine; thanks so much for all your help and guidance, GJ

[Corrine]

Hi, GJ. 

I'm glad to know your computer is back to normal.  To finish, please do the following:

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


Note:  Adobe released critical updates yesterday for both Adobe Reader and Adobe Flash.  I strongly encourage you to update both.

Install the latest version of Adobe Reader from http://www.adobe.com/products/reader/

For Adobe Flash:

Direct download for IE:  http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
Direct Download for non-IE (Opera, Firefox etc): http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

After install, verify Flash Player version for each browser installed at About Flash Player page.

Having a firewall, anti-virus and anti-malware software are not enough.  You also need to stay current with security updates.  If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates

To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector or, alternatively, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

• Detects insecure versions of applications installed
  
• Verifies that all Microsoft patches are applied
  
• Assists you in updating your system and applications
  

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html

Please let me know if you have any questions.

[the GJ]

I followed all the instructions in your last missive Corrine, thanks once more for everything, you are my new hero! GJ

[Corrine]

You are very welcome, GJ, and thank you!