[Resolved] Slow Computer

**townsbg** · 30-06-2009

AVG doesn't show up in the HTJ because I removed it just before running combofix because I was changing over to avira anyway. So, do I still need to do this script? What does it do?

**broni** · 30-06-2009

It removes bad, or unneeded files. Please, run it.
If you uninstalled AVG, make sure, you run AVG Remover: AVG Antivirus and Security Software - Tools download

**townsbg** · 30-06-2009

Originally Posted by broni

It removes bad, or unneeded files. Please, run it.
If you uninstalled AVG, make sure, you run AVG Remover: AVG Antivirus and Security Software - Tools download

Is that all I need to do? If it isn't next time I go I might as well bring it back with me or do everything else that I need to do there. Gas money and time.

**broni** · 30-06-2009

I can't predict my next move.
I need to see Combofix log after running the fix, and fresh HJT log after running AVG Remover, and installing Avira.

**townsbg** · 03-07-2009

I finally got around to running the other combofix. Here are the logs
HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:06 PM, on 7/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sandboxer.com/redirect.as...3KQ4MT%40C%23W
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 4718 bytes

ComboFix

ComboFix 09-07-02.02 - Terry Gentry 07/03/2009 12:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.88 [GMT -5:00]
Running from: c:\documents and settings\Terry Gentry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Terry Gentry\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\docume~1\CODYGE~1\LOCALS~1\Temp\bDMusicb.s ys"
"c:\windows\Tasks\SymantecNetDetect.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Symantec
c:\program files\Symantec\LiveUpdate\1.Settings.Default.LiveU pdate
c:\program files\Symantec\LiveUpdate\ALUNOTIFY.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LSETUP.EXE
c:\program files\Symantec\LiveUpdate\LuAll.cnt
c:\program files\Symantec\LiveUpdate\LUALL.EXE
c:\program files\Symantec\LiveUpdate\LUALL.HLP
c:\program files\Symantec\LiveUpdate\LuComServer.EXE
c:\program files\Symantec\LiveUpdate\LuComServerPS.DLL
c:\program files\Symantec\LiveUpdate\ludirloc.dat
c:\program files\Symantec\LiveUpdate\LUINFO.INF
c:\program files\Symantec\LiveUpdate\LUInit.exe
c:\program files\Symantec\LiveUpdate\LUInit.ini
c:\program files\Symantec\LiveUpdate\LUINSDLL.DLL
c:\program files\Symantec\LiveUpdate\LuResult.txt
c:\program files\Symantec\LiveUpdate\NDETECT.EXE
c:\program files\Symantec\LiveUpdate\NetDetectController.DLL
c:\program files\Symantec\LiveUpdate\ProductRegCom.DLL
c:\program files\Symantec\LiveUpdate\ProductRegComPS.DLL
c:\program files\Symantec\LiveUpdate\README.TXT
c:\program files\Symantec\LiveUpdate\S32LIVE1.DLL
c:\program files\Symantec\LiveUpdate\S32LUCP1.CPL
c:\program files\Symantec\LiveUpdate\S32LUIS1.DLL
c:\program files\Symantec\LiveUpdate\S32LUWI1.DLL
c:\program files\Symantec\LiveUpdate\SymantecRootInstaller.ex e
c:\windows\Installer\1936e3e.msp
c:\windows\Installer\1936e61.msp
c:\windows\Installer\1936e74.msp
c:\windows\Installer\1936e86.msp
c:\windows\Installer\1936e94.msp
c:\windows\Installer\1936eb7.msp
c:\windows\Installer\1936ec5.msp
c:\windows\Installer\1f4f921.msp
c:\windows\Installer\1f4f944.msp
c:\windows\Installer\1f4f957.msp
c:\windows\Installer\1f4f965.msp
c:\windows\Installer\1f4f988.msp
c:\windows\Installer\1f4f996.msp
c:\windows\Installer\1f4f9b8.msp
c:\windows\Installer\20104df.msp
c:\windows\Installer\2010502.msp
c:\windows\Installer\2010515.msp
c:\windows\Installer\2010523.msp
c:\windows\Installer\2010546.msp
c:\windows\Installer\2010554.msp
c:\windows\Installer\2010576.msp
c:\windows\Installer\402bdc.msp
c:\windows\Installer\a13d64.msp
c:\windows\Installer\a13d87.msp
c:\windows\Installer\a13d9a.msp
c:\windows\Installer\a13da8.msp
c:\windows\Installer\a13dcc.msp
c:\windows\Installer\a13dda.msp
c:\windows\Installer\a13dfd.msp
c:\windows\Installer\WinRMSrv.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BDMUSICB
-------\Service_bDMusicb

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-06-29 18:28 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-29 18:28 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-29 18:28 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-29 18:28 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-29 18:28 . 2009-06-29 18:28 -------- d-----w- c:\program files\Avira
2009-06-29 18:28 . 2009-06-29 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-29 14:15 . 2009-06-29 14:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-27 18:26 . 2009-06-27 18:26 -------- d-----w- c:\program files\Trend Micro
2009-06-27 18:13 . 2009-06-27 18:13 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Malwarebytes
2009-06-27 18:12 . 2009-06-27 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-25 19:52 . 2009-06-25 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-25 19:51 . 2009-06-25 21:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 19:51 . 2009-06-25 19:51 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\SUPERAntiSpyware.com
2009-06-25 19:51 . 2009-06-25 19:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-23 20:58 . 2009-06-23 20:58 -------- d-----w- c:\program files\CCleaner
2009-06-23 20:50 . 2009-06-27 19:55 -------- d-----w- c:\program files\MSECACHE
2009-06-12 16:57 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-12 16:57 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-06 16:10 . 2009-06-06 16:10 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\aAvgApi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-29 18:26 . 2005-11-03 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-25 20:07 . 2005-02-08 01:15 -------- d-----w- c:\program files\Microsoft Games
2009-06-25 19:28 . 2009-05-12 19:55 -------- d-----w- c:\program files\Java
2009-06-13 08:19 . 2009-02-09 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 13:33 . 2005-07-19 18:16 -------- d-----w- c:\documents and settings\Johnny Gentry\Application Data\Lavasoft
2009-05-13 05:15 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 20:32 . 2009-05-11 20:32 -------- d-----w- c:\program files\AVG
2009-05-11 20:25 . 2009-05-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-11 20:19 . 2009-05-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-11 20:19 . 2005-01-29 23:45 -------- d-----w- c:\program files\Yahoo!
2009-05-11 20:19 . 2009-05-11 20:19 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Yahoo!
2009-05-11 19:51 . 2003-05-31 16:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-11 19:50 . 2009-03-03 14:55 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Move Networks
2009-05-11 19:49 . 2003-05-31 16:38 -------- d-----w- c:\program files\Microsoft Works
2009-05-11 19:40 . 2006-07-20 00:22 -------- d-----w- c:\program files\Common Files\Scanner
2009-05-11 19:37 . 2003-05-31 16:41 -------- d-----w- c:\program files\ICQ
2009-05-07 15:32 . 2003-05-31 16:13 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2003-05-31 16:13 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-16 15:50 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2005-09-02 16:15 . 2005-01-14 16:53 475 -csh--w- c:\windows\system32\imfi.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_17.53.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3 b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3 b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-06-29 18:28 . 2009-06-29 18:34 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2005-11-14 22:38 . 2005-11-14 22:38 72192 c:\windows\Installer\6178f3.msp
+ 2005-11-03 23:03 . 2005-11-03 23:03 20480 c:\windows\Installer\3a7161.msi
+ 2009-02-09 20:33 . 2009-02-09 20:33 48128 c:\windows\Installer\11ba49e.msi
+ 2003-05-31 16:12 . 2002-08-29 12:00 67584 c:\windows\I386\WINNT32.MSI
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2008-09-04 21:57 . 2007-04-02 18:34 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-09-04 21:57 . 2007-04-02 18:34 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2003-05-31 16:44 . 2003-05-31 16:44 285696 c:\windows\Installer\e635.msi
+ 2003-05-31 16:37 . 2003-05-31 16:37 387584 c:\windows\Installer\e625.msi
+ 2003-05-31 16:29 . 2003-05-31 16:29 264704 c:\windows\Installer\e61e.msi
+ 2004-08-25 14:52 . 2004-08-25 14:52 376832 c:\windows\Installer\b16530.msp
+ 2009-05-11 20:31 . 2009-05-11 20:31 337408 c:\windows\Installer\95bb4.msi
+ 2008-07-23 05:20 . 2008-07-23 05:20 110592 c:\windows\Installer\617941.msp
+ 2008-01-24 16:04 . 2008-01-24 16:04 678400 c:\windows\Installer\61783c.msp
+ 2009-05-12 19:56 . 2009-05-12 19:56 562176 c:\windows\Installer\50e56be.msi
+ 2009-02-10 13:50 . 2009-02-10 13:50 536576 c:\windows\Installer\50122ada.msp
+ 2005-11-03 23:18 . 2005-11-03 23:18 718848 c:\windows\Installer\467cd.msi
+ 2009-03-20 14:44 . 2009-03-20 14:44 501248 c:\windows\Installer\40c941f.msi
+ 2009-01-26 17:36 . 2009-01-26 17:36 532992 c:\windows\Installer\4063b.msi
+ 2005-11-03 23:08 . 2005-11-03 23:08 916480 c:\windows\Installer\3fae81.msi
+ 2008-11-28 09:01 . 2008-11-28 09:01 432640 c:\windows\Installer\3d7e1fb.msi
+ 2007-10-15 05:46 . 2007-10-15 05:46 324608 c:\windows\Installer\3c90736.msp
+ 2009-04-20 19:59 . 2009-04-20 19:59 219648 c:\windows\Installer\348ec77.msp
+ 2009-05-26 23:53 . 2009-05-26 23:53 579072 c:\windows\Installer\348ebfc.msp
+ 2007-10-15 05:44 . 2007-10-15 05:44 324608 c:\windows\Installer\3481448.msp
+ 2006-11-18 04:37 . 2006-11-18 04:37 428544 c:\windows\Installer\2d974fd.msi
+ 2007-08-29 08:06 . 2007-08-29 08:06 431104 c:\windows\Installer\279dade.msi
+ 2009-06-29 18:27 . 2009-06-29 18:27 228352 c:\windows\Installer\1fa594.msi
+ 2006-10-14 19:01 . 2006-10-14 19:01 428544 c:\windows\Installer\12f309.msi
+ 2009-02-09 20:33 . 2009-02-09 20:33 501248 c:\windows\Installer\11ba490.msi
+ 2009-02-09 20:33 . 2009-02-09 20:33 506880 c:\windows\Installer\11ba48b.msi
+ 2009-02-09 20:32 . 2009-02-09 20:32 516608 c:\windows\Installer\11ba484.msi
+ 2009-02-09 20:32 . 2009-02-09 20:32 513024 c:\windows\Installer\11ba477.msi
+ 2009-02-09 20:32 . 2009-02-09 20:32 501248 c:\windows\Installer\11ba46c.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2003-05-31 16:13 . 2004-07-17 18:35 1326080 c:\windows\system32\webfldrs.msi
+ 2004-07-17 18:35 . 2004-07-17 18:35 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-09-04 21:57 . 2007-04-02 18:42 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2007-05-25 17:08 . 2007-05-25 17:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updat es\M928366\M928366Uninstall.msp
+ 2003-05-31 16:38 . 2003-05-31 16:38 1389568 c:\windows\Installer\e62a.msi
+ 2005-11-03 23:35 . 2005-11-03 23:35 5864960 c:\windows\Installer\d7536.msp
+ 2004-03-10 15:13 . 2004-03-10 15:13 2602496 c:\windows\Installer\b16506.msp
+ 2004-09-13 06:35 . 2004-09-13 06:35 1452544 c:\windows\Installer\b164ef.msp
+ 2009-01-12 18:36 . 2009-01-12 18:36 3485184 c:\windows\Installer\9d7c4.msi
+ 2009-05-01 04:02 . 2009-05-01 04:02 9628672 c:\windows\Installer\7ae5d40.msp
+ 2009-04-24 17:28 . 2009-04-24 17:28 4450816 c:\windows\Installer\7ae5d2d.msp
+ 2008-10-28 21:59 . 2008-10-28 21:59 8413184 c:\windows\Installer\61791a.msp
+ 2008-09-04 21:52 . 2008-09-04 21:52 4337664 c:\windows\Installer\617906.msp
+ 2008-05-06 16:30 . 2008-05-06 16:30 9577984 c:\windows\Installer\6178df.msp
+ 2008-01-11 20:13 . 2008-01-11 20:13 5862912 c:\windows\Installer\6178cb.msp
+ 2008-01-14 20:26 . 2008-01-14 20:26 4478464 c:\windows\Installer\6178a5.msp
+ 2006-02-27 22:31 . 2006-02-27 22:31 1269248 c:\windows\Installer\617892.msp
+ 2006-03-28 21:37 . 2006-03-28 21:37 6956032 c:\windows\Installer\61787e.msp
+ 2006-08-29 23:50 . 2006-08-29 23:50 3210240 c:\windows\Installer\617864.msp
+ 2008-06-12 02:13 . 2008-06-12 02:13 7988224 c:\windows\Installer\617828.msp
+ 2008-03-31 22:35 . 2008-03-31 22:35 8309760 c:\windows\Installer\617814.msp
+ 2006-02-22 15:41 . 2006-02-22 15:41 2815488 c:\windows\Installer\617801.msp
+ 2009-05-12 19:55 . 2009-05-12 19:55 1021952 c:\windows\Installer\50e56b9.msi
+ 2009-02-26 00:08 . 2009-02-26 00:08 8311808 c:\windows\Installer\42e5c7ba.msp
+ 2009-03-28 14:50 . 2009-03-28 14:50 5025792 c:\windows\Installer\42e5c7a7.msp
+ 2009-03-20 14:44 . 2009-03-20 14:44 1652736 c:\windows\Installer\40c941a.msi
+ 2009-03-20 14:43 . 2009-03-20 14:43 1652736 c:\windows\Installer\40c9415.msi
+ 2009-03-20 14:43 . 2009-03-20 14:43 2319872 c:\windows\Installer\40c9401.msi
+ 2009-03-20 14:43 . 2009-03-20 14:43 1640960 c:\windows\Installer\40c93f9.msi
+ 2009-03-20 14:42 . 2009-03-20 14:42 2022912 c:\windows\Installer\40c93f4.msi
+ 2009-03-20 14:42 . 2009-03-20 14:42 1713152 c:\windows\Installer\40c93ee.msi
+ 2005-11-03 23:07 . 2005-11-03 23:07 3443712 c:\windows\Installer\3dd8a8.msi
+ 2007-10-15 05:43 . 2007-10-15 05:43 5749760 c:\windows\Installer\3c90730.msp
+ 2009-05-04 12:46 . 2009-05-04 12:46 8299008 c:\windows\Installer\348ec64.msp
+ 2009-05-04 12:47 . 2009-05-04 12:47 9124864 c:\windows\Installer\348ec4f.msp
+ 2009-04-24 17:30 . 2009-04-24 17:30 2583552 c:\windows\Installer\348ec30.msp
+ 2009-05-07 14:17 . 2009-05-07 14:17 5026816 c:\windows\Installer\348ec1a.msp
+ 2009-04-29 20:03 . 2009-04-29 20:03 8404992 c:\windows\Installer\348ebe8.msp
+ 2009-04-24 17:29 . 2009-04-24 17:29 9013760 c:\windows\Installer\348ebd5.msp
+ 2008-02-15 14:54 . 2008-02-15 14:54 9736192 c:\windows\Installer\3481471.msp
+ 2008-04-12 00:08 . 2008-04-12 00:08 6302720 c:\windows\Installer\3481465.msp
+ 2008-10-20 16:18 . 2008-10-20 16:18 6474240 c:\windows\Installer\34813cc.msp
+ 2008-04-11 23:48 . 2008-04-11 23:48 6774272 c:\windows\Installer\2edffe6.msp
+ 2009-02-07 04:31 . 2009-02-07 04:31 5047808 c:\windows\Installer\2edff4b.msp
+ 2007-06-01 20:54 . 2007-06-01 20:54 9626624 c:\windows\Installer\2edff38.msp
+ 2009-06-25 19:52 . 2009-06-25 19:52 1516544 c:\windows\Installer\2be773.msi
+ 2008-03-31 00:01 . 2008-03-31 00:01 3620864 c:\windows\Installer\15b7aca.msi
+ 2009-02-09 20:37 . 2009-02-09 20:37 5570560 c:\windows\Installer\11ba4df.msi
+ 2009-02-09 20:33 . 2009-02-09 20:33 1652736 c:\windows\Installer\11ba495.msi
+ 2009-02-09 20:32 . 2009-02-09 20:32 2397184 c:\windows\Installer\11ba467.msi
+ 2005-11-03 23:08 . 2005-11-03 23:08 1863168 c:\windows\Downloaded Installations\{A8AD743E-7E33-49D5-8913-8A2E5B41E3B1}\HMTCDWizard.msi
+ 2005-09-25 17:46 . 2005-09-25 17:46 16084480 c:\windows\Installer\b1651d.msp
+ 2004-01-30 09:19 . 2004-01-30 09:19 56269996 c:\windows\Installer\a20d8.msp
+ 2008-01-24 21:56 . 2008-01-24 21:56 13570560 c:\windows\Installer\61792e.msp
+ 2008-10-29 01:17 . 2008-10-29 01:17 17520128 c:\windows\Installer\617850.msp
+ 2009-03-09 20:55 . 2009-03-09 20:55 17526272 c:\windows\Installer\50122b01.msp
+ 2009-02-26 00:05 . 2009-02-26 00:05 11840000 c:\windows\Installer\50122aee.msp
+ 2009-02-26 00:07 . 2009-02-26 00:07 11646464 c:\windows\Installer\50122ac5.msp
+ 2005-11-03 23:16 . 2005-11-03 23:16 19210240 c:\windows\Installer\467c8.msp
+ 2009-03-20 14:55 . 2009-03-20 14:55 15830016 c:\windows\Installer\40c9e1c.msi
+ 2008-08-11 17:51 . 2008-08-11 17:51 15916544 c:\windows\Installer\3c90750.msp
+ 2008-08-11 17:49 . 2008-08-11 17:49 22457344 c:\windows\Installer\3c90743.msp
+ 2009-05-05 23:06 . 2009-05-05 23:06 17515008 c:\windows\Installer\348ecc3.msp
+ 2009-05-04 12:49 . 2009-05-04 12:49 10955776 c:\windows\Installer\348ecb0.msp
+ 2008-09-24 18:05 . 2008-09-24 18:05 16381440 c:\windows\Installer\3481454.msp
+ 2007-10-15 05:43 . 2007-10-15 05:43 12743168 c:\windows\Installer\3481439.msp
+ 2007-10-15 05:43 . 2007-10-15 05:43 21981184 c:\windows\Installer\3481427.msp
+ 2008-10-20 15:22 . 2008-10-20 15:22 11758592 c:\windows\Installer\2ee0069.msp
+ 2008-10-20 15:21 . 2008-10-20 15:21 11937280 c:\windows\Installer\2ee0055.msp
+ 2008-10-20 15:16 . 2008-10-20 15:16 13211648 c:\windows\Installer\2ee002f.msp
+ 2008-05-21 06:30 . 2008-05-21 06:30 14308864 c:\windows\Installer\2edff71.msp
+ 2007-08-29 08:12 . 2007-08-29 08:12 15256576 c:\windows\Installer\279db44.msp
+ 2007-10-15 05:43 . 2007-10-15 05:43 229852160 c:\windows\Installer\3481421.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb04.exe" [2006-01-13 196608]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\ 3\E_S4I2G1.EXE" [2003-05-27 99840]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \SAGENT4.EXE"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/29/2009 1:28 PM 108289]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [1/19/2004 10:05 PM 72576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\User_Feed_Synchronization-{B70EC5FC-6D46-4E7F-8CBE-1CB32099EF79}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://www.sandboxer.com/redirect.aspx?ID=21&MID=4L9T23T3HR%23BMD3EHB%406H2 FR727%232S%23H%23KQ4MT%40C%23W
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-03 12:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\TypeLib]
@DACL=(02 0000)
@="{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{AFDBB 222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0]
@DACL=(02 0000)
@="AMNotifier 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\itbill\CONFIG]
@DACL=(02 0000)
"url"="u}G<<{|vsvr;nyovyy;p|z<{|vsvr<{|vsv r?;ptvLp|{svtJhP\\[SVTj3t‚vqJhTbVQj3}|q‚pJh]_\\cj3zrnJhZRaNQNaNj3Jha_NSSVPlaf]Rj3u‚onJ>"
"domain"=""
"tracker"=""
"updates"=""
"val1"=dword:00000000
"val2"=dword:0036ee80
"val3"=dword:00000000
"val4"=dword:00002710
"activity"=dword:00000001
"last"=dword:4432e03d
"freeze"=dword:00000000

[HKEY_LOCAL_MACHINE\software\itbill\FSUPPORT]
@DACL=(02 0000)
"install_date"="2005-11-12"
"install_time"="13:23"
"ip_addr"="12.222.169.98"
"user_country"="US"
"dir_country"="US"
"userid"="61339790"
"cid"=""
"guid"="OI3AC/E9KA3FKSDHIU1MJJYE9MT514RD"
"ts"="pythonexit"
"tss"="redplayer2"
"idelta"="125"
"traffic_type"="A"
"altpay"="1"
"product"="movieland"

[HKEY_LOCAL_MACHINE\software\itbill\UPDATE]
@DACL=(02 0000)
"Module"=dword:443297ef
"Config"=dword:443297f7

[HKEY_LOCAL_MACHINE\software\MediaPipe\Prefs]
@DACL=(02 0000)
"version"="3"
"AltPayments"="movieland"
"ProductFamily"="movienetworks"
"Country"="US"
"Provider"="MovieLand"
"TRAFFIC_COUNTRY"=""
"TRAFFIC_PROGRAM"=""
"TRAFFIC_SOURCE"="pythonexit"
"TRAFFIC_SUBSOURCE"="redplayer2"
"JOIN_FORM_ID"="150"
"modem"=""
"GUID"="OI3AC/E9KA3FKSDHIU1MJJYE9MT514RD"
"Filename"="c:\\Program Files\\MediaPipe\\MediaPipe.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\SYSTEM32\adsldpc.dll

- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2009-07-03 12:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 17:17

Pre-Run: 69,936,668,672 bytes free
Post-Run: 69,920,145,408 bytes free

387

So broni, is it clean? I found the directory C:\Qoobox and it seems to be associated with combofix. Is that correct? When we are done can that be removed? Also I got that warning about getting it from an official source, which I previously provided a screenshot of, for the same copy of combofix that I used earlier. So was that copy corrupted, changed, or was combofix just being paranoid?

**broni** · 04-07-2009

Combofix is very sensitive, but I like it because of that. Better safe, than sorry..

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.

================================================== =======

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

================================================== =============

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
- R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
- O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
- O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
- O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

4. You may also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

**townsbg** · 04-07-2009

I had Java update its self & it updated to V 6. update 13. So do I really need to do that? If it does need the latest why didn't in download the latest. I read that update 14 isn't a critical update.

**broni** · 04-07-2009

Java is very vulnerable component, and it should be kept up to date. Period.
The current version is Update 14.

**townsbg** · 07-07-2009

Ok I fixed the items that you posted except for O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400". It wasn't listed after the scan. Here is the log.

Logfile of Trend Micro HijackThis v2.0.2

**broni** · 07-07-2009

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

7. Download, and install WOT (Web OF Trust): Internet Security | WOT Web of Trust. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: How did I get infected?

10. Let me know, how is your computer doing.

[Resolved] Slow Computer

re: [Resolved] Slow Computer

Similar Threads

Slow Computer

Need help please, my computer is very slow! (RESOLVED)

Need help please, my computer is very slow! (RESOLVED)

My Computer is SLOW! Please Help!(RESOLVED)

computer slow (RESOLVED)