Possible Spyware (but ware is it..Help)

[KaisorSoze]

Hello

I am having trouble with my pc running slow. It is about 25 years old. It is a Dell Dimension 4600 with intel 4 2.4Ghz in it. Got bout 80 GB. Currently got about 65% of my harddrive available. I use this guide http://forums.majorgeeks.com/showthread.php?t=35407 to help assistance with removal of any viruses and adware. With all the searches for viruses and adware I only found one. It was removed. However, when I boot up in Normal mode, it still takes about 30-50 seconds for my pc to boot up. The known programs that I have booting is NIS and Microsoft anti-spyware. On top of that, on the first attempt to open Firefox, it takes about 20 seconds to open. I was wondering if someone can help me out. I ran HiJackThis and was hoping someone can view my log. Also during my many scans the following happen:

This was found on an online scan
C:\\WINDOWS\NDNuninstall6_38.exe (Adware.NewDot

Avast virus Cleaner Tool (I did this scan in safe mode with networking)
C:\Documents and Settings\The Man\Local Settings\Temp\~DF411.tmp... file could not be scanned!
C:\Documents and Settings\The Man\Local Settings\Temp\~DFF7F.tmp... file could not be scanned!
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log... file could not be scanned!
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb... file could not be scanned!
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys... file could not be scanned!

Avast Virus Cleaner Tool (I did the same scan a second time in safe mode only)
C:\Documents and Settings\The Man\Local Settings\Temp\~DF3812.tmp... file could not be scanned!
C:\Documents and Settings\The Man\Local Settings\Temp\~DFDFC1.tmp... file could not be scanned!
C:\Documents and Settings\The Man\Local Settings\Temp\~DFEB37.tmp... file could not be scanned!
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys... file could not be scanned!

Spy Sweeper ( an online spy ware scan found this)
3 found Adware in the following categories
PC Corruption
Runaway Pop-Up Ads
Sluggish Performance
Behavior Surveillance

Thanks a lot in advance.

[Shadow_Puter_Dude]

Scan with HijackThis and fix the following:

Quote:

O2 - BHO: (no name) - {0951E7B7-7854-75F7-05B6-0232A36FB5EB} - (no file)
O2 - BHO: (no name) - {13294386-C628-82F9-43D4-8563E6C3B1FB} - (no file)
O2 - BHO: (no name) - {13468D82-151D-46E3-3857-4D31C0CEFEEE} - (no file)
O2 - BHO: (no name) - {13468D8A-1569-4E92-3854-3931B3BEFEEE} - (no file)
O2 - BHO: (no name) - {15128DD5-174F-10E1-3A57-4D31C0CEA6EC} - (no file)
O2 - BHO: (no name) - {23047386-EB6B-B3CD-6EE5-B34EDEF79CC2} - (no file)
O2 - BHO: (no name) - {236BBD8B-382A-7FA6-1565-7B1CF1FBD3AD} - (no file)
O2 - BHO: (no name) - {253FBDDC-3A78-29A4-1765-7B1CF1FB8BAF} - (no file)
O2 - BHO: (no name) - {40D61F04-59E4-4C8D-BF6E-697AB9C21F43} - (no file)
O2 - BHO: (no name) - {41AE7863-FDC7-EE10-AF2D-EA35639BEBFE} - (no file)
O2 - BHO: (no name) - {4D794DDB-C67D-D2AF-1AD4-8563E6C3B0AB} - (no file)
O2 - BHO: (no name) - {4F611021-D095-DD38-C95F-A998C930A0BA} - (no file)
O2 - BHO: (no name) - {4F611029-D0E1-D549-C95C-DD98BA40A0BA} - (no file)
O2 - BHO: (no name) - {7F4C2020-FDD6-EC0C-E46E-EBB58B758DF9} - (no file)
O2 - BHO: (no name) - {9B000F9F-9576-C8D4-7557-C8098A122098} - (no file)
O2 - BHO: (no name) - {9F5A5A97-C724-CD8C-7357-C8098A1223CD} - (no file)
O2 - BHO: (no name) - {AB2D3F9F-B835-F9E0-5866-FE24B2260DA1} - (no file)
O2 - BHO: (no name) - {D7E1CDA4-1E50-0BD0-6B57-587E77C27BF1} - (no file)
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-90002030B8EE} - (no file)
O2 - BHO: (no name) - {F45E5C92-C37D-9CDB-2941-99ECD4E04A98} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

You should uninstall the Logitech Desktop Messenger, it is an unnecessary service, and you really don't need it.

Post a fresh HijackThis log.

[KaisorSoze]

Hey, thanks for the reply
here is the new log.
Also, I notice that winfixer is in there somewhere. I am assuming that is bad.

[Shadow_Puter_Dude]

Quote:

Originally Posted by KaisorSoze

Hey, thanks for the reply
here is the new log.
Also, I notice that winfixer is in there somewhere. I am assuming that is bad.

Why would you say that? Your log shows no signs on a WinFixer infection.

However, I do have a question about this entry:
O17 - HKLM\System\CCS\Services\Tcpip\..\{472AED08-62BD-4520-B392-A0FE6A117E41}: NameServer = 192.168.1.1 <---- I am assuming this is for a Private Network.

Otherwise your log in clean. How is your system running?

[KaisorSoze]

Thanks again...but it is still running sluggish. Another thing, once I am booted, my floppy disk drive makes noise, as if it is looking for a disk. Also, I just did another scan with Gdata software remover, an antiworm detector and it asked to remove the following
C:\WINDOWS\windrv.exeEmail-Worm.Win32.Dumaru

However, my pc froze when I clicked yes. Don't know what that is all about.

Any other suggestions. With the slow boot up and my pc only receiving 1/3 of my internet connection (another problem I have yet to solve: contact ISP (BellSouth), Linksys (my network card) and Dell (my pc type) and no luck) I don't know what is going on with my pc.

[Shadow_Puter_Dude]

OK, it appears that you have a few issues not shown by HijackThis, not unusual.

Please follow the instructions in this thread:
Running Ewido Security Suite

[KaisorSoze]

I was not sure if I was suppose to post this to you, but here anyway. It found some 30-something infections. the log is attached.

[Shadow_Puter_Dude]

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments. You will need to do 2 posts to attach all 3 logs.

[KaisorSoze]

Here is the Panda Scan log and the Qoologic Finder text as well.

[KaisorSoze]

and here is the RKTOOL log as well. Thanks again man, I see you are helping a lot of people..really do appreciate. What's next?

[Shadow_Puter_Dude]

Boot into Safe Mode.

Open Windows Explorer and DELETE the following:

Quote:

C:\WINDOWS\windrv.exe
C:\WINDOWS\SYSTEM32\w?nlogon.exe <---- Be carfefully here and DO NOT delete winlogon.exe
C:\Documents and Settings\The Man\My Documents\My Received Files\EvID4226Patch223d-en\EvID4226Patch.exe

Reboot into Normal Mode. How is your system running?

[KaisorSoze]

How is your system running?

It is running a bit smoother....of known programs that boot at the startup (NIS, DellHelp, My printer, ewido, and microsoft-anit-spyware) NIS is taking awhile to boot up. The others boot up okay (one after the other). When I say boot up, I am referring to their respective Icons that appear on the bottom right. From you last post I deleted all except the w?nlogin.exe. I did not see "w?nlogin.exe" but I saw 2 "winlogin.exe" One had an icon of a window that showed a nighttime sky. The other did not have an icon at all. Is that the one I delete? I doubled checked for the "w?nlogin.exe." but did not see it. Once I do that, what's next?

[Shadow_Puter_Dude]

Delete winlogin.exe. Right-click on both winlogon.exe, you want to delete the one that isn't from Microsoft; most likely the one without the icon.

NIS is a serious resource hog. You may want to consider uninstalling NIS.

[KaisorSoze]

NIS is a real resource hog

I notice that before on another pc I had, but the boot time was not as long. I also install the same NIS on another PC and the boot is quite fast. On the other PC that I install it on, it boots in 5-10 seconds. But on the one I am working on now, it takes 20-30 seconds after everything else boots, which isn't that bad. But what I am noticing now is while it is booting, the floppy drive light comes on as if it is scannin for a diskette. This just started happening a 3-4 days now. I am going to delete the winlogin.exe and tell you any difference.

[KaisorSoze]

Okay, I delted the winlogon.exe. When I rebooted, the other apps booted okay. NIS took about 1 min after all others were booted. Also, Windows Firewall Warning poppped up then disappeared, then NIS booted up. Another thing, When I clicked on Firefox to open a window, it took 40-50 seconds for it to open (I waited for all programs to be booted first and for the busy light to stop). Does that mean something still is wrong or is that normal? Also, what's next!

[Shadow_Puter_Dude]

The Windows Security warning is normal until your firewall loads. Firefox shouldn't take that long to load. 10-15 seconds on first load but not 40-50 seconds. Could be an issue with NIS.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

[KaisorSoze]

I had difficulties running that last program. I ran it three times. The first time in normal mode. Within in about five minutes of the scan I got an error message saying (Invalid data type for "). I clicked "okay" and it shown to be running under Window task manager. However, it did not move from the previous location after an 2 hours of running. I ran it again and got the same message. I ran it again in safe mode and got the same message. All errors occurred when it got to the following folder:

(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObject
DelayLoad)

The first item (%SystemRoot%\system32\SHELL32.dll CDBurn (fbeb8a05-beee-4442-804e-409d6c4515e9) scanned okay, but right after that the following happens
%SystemRoot%\system32\SHELL32.dll
after that the error box popups up.

The computer continues to complete boot after about 2 mins and opening Firefox stills takes about 40-50 secs after double-clicking it.

[Shadow_Puter_Dude]

OK, it looks like you are having issues with NIS. You may want to consider uninstalling NIS, to see what effect that has on your boot times.

Anyway, this looks like a software issue now, and I recommend you post in the Software Forum. Reference this thread in your post, someone will be along to assist, if not myself.