My aunts computers is slooow

First I just want to stated an important up front observation. This PC has no protection software installed which is part of the reason it was so badly infected. The other reason is the sites being accessed.

First we need to cleanup old remnants from Symantec. Run the below, reboot, and then run it one more time.

Norton Removal Tool (SymNRT)


Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Qqnbr] C:\Documents and Settings\Preinstalled user\Application Data\??crosoft.NET\r?gsvr32.exe
O4 - HKCU\..\Run: [Eloit] "C:\Documents and Settings\Preinstalled user\My Documents\?dobe\w?nlogon.exe"
O4 - HKCU\..\Run: [Oqyid] C:\WINNT\a?sembly\?ti2evxx.exe
O4 - HKCU\..\Run: [Wom] "C:\Documents and Settings\Preinstalled user\My Documents\?icrosoft.NET\n?lookup.exe"
O4 - HKCU\..\Run: [Trt] "C:\Documents and Settings\Preinstalled user\My Documents\?ecurity\?hkdsk.exe"
O4 - HKCU\..\Run: [Rahbj] C:\WINNT\?icrosoft\w?auclt.exe
O4 - HKCU\..\Run: [Xgmgda] C:\WINNT\?racle\e?plorer.exe
O4 - HKCU\..\Run: [Rotu] C:\WINNT\system32\s?stem32\?srss.exe
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O20 - AppInit_DLLs: rundll.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Administrator\Local Settings\Temp

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

You forgot to attach the new log from running ComboFix.

Also you forgot to tell me how things are working.

 

You must not have two antivirus programs installed. This is an absolute no no!!! You must uninstall Norton if you want to use Nod. And if you already installed Nod you may run into problems getting Norton removed.

But we are not finished yet and it is not tomorrow yet.