Different computer than the other listed. Acts the same. Results here. Replace?

[wolfman]

This was the computer that has become slower and occas locking up. Ddin't knowif I should replace CPU and mother or whole sysytem. Was going to get this one professionaly cleaned and tuned also. Wonder if I have to after this. It is an AMD Athlon1800+ with ECS K7S5A board. 1GB DDR memory 75GB HDD with 50 GB used. Running windows XP home on both computers. Let me know what you think.

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Hello and welcome to

Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
**********************************************
There doesn't appear to be too much wrong with this computer. Whether you keep it or upgrade it depends what you want to use it for.  Let's run a few more tests to see if it's clean.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[wolfman]

Thanks for helping. I am at the combofix on both computers that you are working on with me. I disabled the shield on AVG 8.5 but I get an error saying combo can't be run with AVG installed. Cannot bypass this step. When I went to Control Panel and add/remove, the uninstall halted saying it couldn't be done because of some registry key or something? Tried twice. What should I do now? I have a feeling I'll get this on the other computer too, but will try and see. Let me know. Thanks

[SuperDave]

Thanks for helping. I am at the combofix on both computers that you are working on with me. I disabled the shield on AVG 8.5 but I get an error saying combo can't be run with AVG installed. Cannot bypass this step. When I went to Control Panel and add/remove, the uninstall halted saying it couldn't be done because of some registry key or something? Tried twice. What should I do now? I have a feeling I'll get this on the other computer too, but will try and see. Let me know. Thanks

This must be something new with ComboFix. I've had that today with another user. Since you're AVG is out-dated perhaps you should remove it and install this one. Please download the new AV and install it first, then remove AVG using the tool below.

Microsoft Security Essentials for Windows XP

*****************************
•AVG Antivirus - AVG Antivirus Remover utility

************************************
Please try running ComboFix after all the above is done.

[wolfman]

Like the other computer, had a hard time with AVG and combo, will install 2011. Here are the logs. Let me know what you thin , what to do about Spyware Doctor, and which programs to run.  Thanks again

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

******************************************

what to do about Spyware Doctor

This program is safe to use.

which programs to run

I'm not sure if you're talking about Security programs of programs, in general.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

Please copy and paste your logs in your reply.

[wolfman]

Here's the latest log

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F45E0000
Module End: F45F8000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A93000
Module End: F7A95000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F74586AE
Driver Base: F7429000
Driver End: F7466000
Driver Name: PCTCore.sys

Function Name: ZwCreateProcess
Address: F7436A96
Driver Base: F7429000
Driver End: F7466000
Driver Name: PCTCore.sys

Function Name: ZwCreateProcessEx
Address: F7436D5E
Driver Base: F7429000
Driver End: F7466000
Driver Name: PCTCore.sys

Function Name: ZwDeleteKey
Address: F745904C
Driver Base: F7429000
Driver End: F7466000
Driver Name: PCTCore.sys

Function Name: ZwDeleteValueKey
Address: F74593D6
Driver Base: F7429000
Driver End: F7466000
Driver Name: PCTCore.sys

Function Name: ZwOpenKey
Address: F74578EC
Driver Base: F7429000
Driver End: F7466000
Driver Name: PCTCore.sys

Function Name: ZwOpenProcess
Address: F32FC6C0
Driver Base: F32FA000
Driver End: F3304000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwRenameKey
Address: F745991A
Driver Base: F7429000
Driver End: F7466000
Driver Name: PCTCore.sys

Function Name: ZwSetValueKey
Address: F7458A50
Driver Base: F7429000
Driver End: F7466000
Driver Name: PCTCore.sys

Function Name: ZwTerminateProcess
Address: F32FC770
Driver Base: F32FA000
Driver End: F3304000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwTerminateThread
Address: F32FC810
Driver Base: F32FA000
Driver End: F3304000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwWriteVirtualMemory
Address: F32FC8B0
Driver Base: F32FA000
Driver End: F3304000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{BA5F9362-B794-BB7F-C945-12392C889AD9}\01\10-{BA5F9362-B794-BB7F-C945-12392C889AD9}-v1-{48
Status: Hidden

Object: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{BA5F9362-B794-BB7F-C945-12392C889AD9}\13\13-{A3198939-C9B9-435D-98CF-AB2BC92BE533}-v13-{A
Status: Hidden

Object: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{BA5F9362-B794-BB7F-C945-12392C889AD9}\13\13-{A7A505AF-E478-4F4D-8F6A-D79C6FC14BAE}-v13-{A
Status: Hidden

Object: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{BA5F9362-B794-BB7F-C945-12392C889AD9}\14\14-{A3198939-C9B9-435D-98CF-AB2BC92BE533}-v14-{A
Status: Hidden

Object: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{BA5F9362-B794-BB7F-C945-12392C889AD9}\16\16-{A3198939-C9B9-435D-98CF-AB2BC92BE533}-v16-{A
Status: Hidden

Object: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{BA5F9362-B794-BB7F-C945-12392C889AD9}\17\17-{A3198939-C9B9-435D-98CF-AB2BC92BE533}-v17-{A
Status: Hidden

Object: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{BA5F9362-B794-BB7F-C945-12392C889AD9}\18\18-{A3198939-C9B9-435D-98CF-AB2BC92BE533}-v18-{A
Status: Hidden

Object: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{68E73B71-4EA2-A14A-5BF5-C5F9C066BB5F}\01\11-{68E73B71-4EA2-A14A-5BF5-C5F9C066BB5F}-v1-{4812
Status: Hidden

Object: C:\Program Files\IObit\IObit SmartDefrag\language\Lietuviu.lng
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

[wolfman]

Also, the AVG analyzer ran and showed a number of registry errors. Should I have these fixed or wait until we are done?

[SuperDave]

Also, the AVG analyzer ran and showed a number of registry errors. Should I have these fixed or wait until we are done?

Go ahead and fix them and then run this scan.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[wolfman]

There was no report to post, it said 0 threats found.

[SuperDave]

So, how's your computer working now?

[wolfman]

At certain points it seems more responsive. I haven't been getting the neverending hourglass with Yahoo. It is still really slow when you click on the first icon once you're logged in. I looked at CC cleaner and Startup and there are a number of programs running. How many should there be? Your browser and and maybe your virus scan and firewall? I had 12-15. And Spyware Doctor runs every night at 6 and usually finds around 6 threats and 3 infections. Is this normal?

[SuperDave]

It is still really slow when you click on the first icon once you're logged in.

Mine does the same thing but I know it's all the downloads when I boot. You can check the startup items with this tool.

StartupLite

Download StartupLite by MalwareBytes to your Desktop.
Doubleclick StartupLite.exe to launch the program.
Ensure the Disable box is checked.
Click Continue.
A pop up message will tell you the unecessary startup items in your list have been disabled and ask you to restart your computer.
Re-start your computer.
********************************

And Spyware Doctor runs every night at 6 and usually finds around 6 threats and 3 infections. Is this normal?

I would have to say no. Not normal.Let's check your protection.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[wolfman]

 Results of screen317's Security Check version 0.99.6 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 AVG 2011     
 AVG PC Tuneup 2011   
 ESET Online Scanner v3   
 McAfee VirusScan     
 PC Tools Firewall Plus 6.0 
 McAfee Firewall     
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 AVG PC Tuneup 2011 
 CCleaner     
 Java(TM) 6 Update 22 
 Adobe Flash Player   
Adobe Reader 9.4.0
 Mozilla Firefox (3.6.
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 PC Tools Firewall Plus FWService.exe   
 PC Tools Firewall Plus FirewallGUI.exe   
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[SuperDave]

Are you running two AV programs on your computer? AVG 2011     
 and McAfee VirusScan? If so, one will have to be disabled.     

How much RAM do you have and how much free space?