newonnet Posted April 15, 2014 Share Posted April 15, 2014 Hi Could someone please have a quick look over my logs please. My PC seems to be VERY slow indeed, fonts have changed by themselves on Google chrome and AVG Defragment Console has appeared in my list of used programs in START icon - to my knowledge, I havent used it! Its been a while since I accessed Pitstop and I am worried that I may have picked up something nasty. I have run Spybot and various System32 and Registry entries have been removed - I have updated and run Malwarebytes - showed no issues. I have attached DDS logs, here is my HJT log...... Many thanks Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 20:43:08, on 15/04/2014 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG10\avgfws.exe C:\Program Files\AVG\AVG10\avgwdsvc.exe C:\Program Files\Java\jre7\bin\jqs.exe C:\Documents and Settings\All Users\Application Data\MobileBrServ\mbbservice.exe C:\Program Files\Secunia\PSI\sua.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe C:\Program Files\AVG\AVG10\avgam.exe C:\Program Files\AVG\AVG10\avgcsrvx.exe C:\Program Files\AVG\AVG10\avgnsx.exe C:\Program Files\AVG\AVG10\avgchsvx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\AVG\AVG10\avgtray.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Samsung\Kies\KiesTrayAgent.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Samsung\Kies\Kies.exe C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe C:\Program Files\AVG\AVG10\avgcsrvx.exe C:\Program Files\Trusteer\Rapport\bin\RapportService.exe C:\PROGRA~1\AVG\AVG10\avgrsx.exe C:\Program Files\AVG\AVG10\avgcsrvx.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=2080530 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.dell.com O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4E0B518A-99A1-4EAF-AF30-9EC9AB5C7214}: NameServer = 208.67.222.222,208.67.220.220 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgfws.exe O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe O23 - Service: Mobile Broadband HL Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\MobileBrServ\mbbservice.exe O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- End of file - 8755 bytes DDS note.txt dds log.txt Link to comment Share on other sites More sharing options...
Tomk_ Posted April 16, 2014 Share Posted April 16, 2014 I'm not seeing anything obvious. Let's dig a little deeper. Download ComboFix:http://download.bleepingcomputer.com/sUBs/ComboFix.exe* IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html Double click on ComboFix.exe & follow the prompts. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Notes:1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. Link to comment Share on other sites More sharing options...
newonnet Posted April 16, 2014 Author Share Posted April 16, 2014 Hi Tomk Thanks for the reply. I have run Combofix, log is attached. Many thanks log.txt Link to comment Share on other sites More sharing options...
Tomk_ Posted April 17, 2014 Share Posted April 17, 2014 Nothing very exciting there. Some temp files were cleared and some orphans were removed. I doubt you will notice much difference. Let's give it a general garbage cleaning. Step 1Please download Junkware Removal Tool to your desktop. Shut down your protection software now to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator. The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message. Step 2Please download AdwCleaner by Xplode onto your desktop. Close all open programs and internet browsers. Double click on AdwCleaner.exe to run the tool. Click on Scan button. Wait until is finished. Click on Clean. Confirm each time with Ok. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile with your next answer. You can find the logfile at C:\AdwCleaner\AdwCleaner[s0].txt as well. Step 3Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it). In your next reply, post the following log files: Junkware Removal Tool log AdwCleaner log Malwarebytes' Anti-Malware log Link to comment Share on other sites More sharing options...
newonnet Posted April 21, 2014 Author Share Posted April 21, 2014 Hi Tomk Apologies for late reply. I have followed the instructions but...JRT will not work, after download it extracts and then open .........System32\cmd.exe nothing happens, I have left it for literally hours and nothing. Press enter or delete then it says "File does not have a program associated with it for permitting this action............" The AdwCleaner and Malwarebytes run fine. I have attached the logs.. Many thanks Tomk AdwCleanerS0.txt mbam-log-2014-04-17 (20-54-05).txt Link to comment Share on other sites More sharing options...
Tomk_ Posted April 21, 2014 Share Posted April 21, 2014 Don't worry about JRT. I don't know why it isn't working... but it's not important. Still nothing very exciting found. Let's get an online scan. This one will take forever. Scan is often several hours. Just let it run while you are off doing something else. ESET Online Scanner:Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu. Please go here then click on: Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: When prompted allow the Add-On/Active X to install. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked. Now click on Advanced Settings and select the following: Scan for potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth Technology Now click on: The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection. When completed the Online Scan will begin automatically. Do not touch either the Mouse or keyboard during the scan otherwise it may stall. When completed select Uninstall application on close if you so wish, make sure you copy the logfile first! Now click on: Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic. Note: Do not forget to re-enable your Anti-Virus application after running the above scan! Link to comment Share on other sites More sharing options...
newonnet Posted April 23, 2014 Author Share Posted April 23, 2014 Hi Tomk, thanks for the reply. I have run the ESET scan and attached relevant log... log NOTEPAD ESET.txt ESET log.txt Link to comment Share on other sites More sharing options...
Tomk_ Posted April 23, 2014 Share Posted April 23, 2014 It appears that you have problems from time to time and run ESET online. Every time it finds a few things. The "worst" found this time is Utorrent. You have surprisingly few PUPs on there seeing as how that there are usually a couple installed along with the add-on when you initially download it. utorrent You have utorrent, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/commun...protection.mspx http://www.techweb.com/wire/160500554 [url=http://www.internetworldstats.com/articles/art053.htm]http://www.internetworldstats.com/articles/art053.htm I would recommend that you uninstall utorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs. Let's get rid of the little traces found. COMBOFIX-Script Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: File:: C:\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\chrome\utorrentbar.jar C:\WINDOWS\Installer\2aa0678.msi Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Then let me know if you have noticed any improvement. Link to comment Share on other sites More sharing options...
newonnet Posted April 23, 2014 Author Share Posted April 23, 2014 Hi Tomk, thanks for post. I was sure I had uninstalled Utorrent a while ago - I went to control panel and there was no torrent programs in there. I went to Program files instead and deleted Utorrent files from there. Ran ComboFix - took ages Tomk, it seemed to delete a load of temp files? I have attached the log. Thanks again Tomk Combofix log.txt Link to comment Share on other sites More sharing options...
Tomk_ Posted April 23, 2014 Share Posted April 23, 2014 Combofix cleans out temp files as a matter of course... but you are right. That's a bunch of them in a short period of time. Usually files with those type of names are from failed install attempts - but I don't see anything new installed. Has your system been updating? Link to comment Share on other sites More sharing options...
newonnet Posted April 24, 2014 Author Share Posted April 24, 2014 Hi Tomk, thanks for the post.... With regards to installing.... I had a graphics card Nvidia which I took out due to driver issues, tried to reinstall a few times but didnt manage it - could be that, or...Samsung mobile phone drivers and KIES application - total; nightmare and another few failed installations. Other than that, AVG updates regularly as does windows.. Link to comment Share on other sites More sharing options...
Tomk_ Posted April 25, 2014 Share Posted April 25, 2014 That sounds plausible. Other than CF taking forever... is everything else still running slow? Link to comment Share on other sites More sharing options...
newonnet Posted April 25, 2014 Author Share Posted April 25, 2014 Hi Tomk, thanks for post PC seems ok, its not really gonna be too quick due to age etc - I may have a look at some of the tips in forum about how to speed up (I may have already done these a long time ago but cant remember) There is a useful post i saw advising deleting previous restore points etc. Ill try some of thos and see how it all goes. Many thanks for your advice though Tomk Link to comment Share on other sites More sharing options...
Tomk_ Posted April 25, 2014 Share Posted April 25, 2014 Some of that (like restore points) will be taken care of through our housekeeping steps. Click START then RUN Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there. The above procedure will: Implement some cleanup procedures. Reset System Restore. We need to remove the tools we've used during cleaning your machine Download Delfix from here Ensure Remove disinfection tools is tickedAlso tick:Create registry backup Purge system restore Click Run The program will run for a few moments and then notepad will open with a log. Please paste the log in your next replyPlease re-enable any security that was disabled. Link to comment Share on other sites More sharing options...
newonnet Posted April 27, 2014 Author Share Posted April 27, 2014 Hi Tomk I followed the procedures but had an issue with the combofix instructions. Upon entering the following Click START then RUN Now type ComboFix /Uninstall in the runbox and click OK. A dialogue box opens saying....."Windows cannot find ComboFix.........." - I copied and pasted the text and also tried typing it in case of mistake with the space between X & U. Both ways had the same response. No problems with the Delfix instructions though - log is attached Many thanks Tomk DelFixlog.txt Link to comment Share on other sites More sharing options...
Tomk_ Posted April 28, 2014 Share Posted April 28, 2014 I don't know why the combofix uninstall routine didn't work... unless you ran delfix first - which uninstalled it. Whatever, according to your delfix log it has been removed. The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.I would also suggest you read this:So how did I get infected in the first place?by Tony KleinAlso: "How to prevent malware" by miekiemoesPlease respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. Link to comment Share on other sites More sharing options...
newonnet Posted April 28, 2014 Author Share Posted April 28, 2014 Hi Tomk, I have had a look through the Malware info links. Thanks so much for your help and advice. Regards Link to comment Share on other sites More sharing options...
Tomk_ Posted May 1, 2014 Share Posted May 1, 2014 You are very welcome. Good luck and be well. Link to comment Share on other sites More sharing options...
.png.9d4b89b15b2cd5e65edd93a0e6823dce.png)
Recommended Posts