Computer is very sluggish

Here are the logs, as directed. I think I've done what has been asked of me. Post 1 of 2.

 

Post 2 of 2.

I created the Spybot log after running Spybot, but I'm pretty sure Spybot didn't find anything. I'm not sure if that is useful or not. My computer is very slow when running video from the internet and I've noticed recently that the internet has been incredibly slow lately. It seems that AVG is using a lot of my computer's resources. I deactivated AVG's linkscanner because I figured that might be the culprit.

 

Hi owlbug,
Welcome to the Malware Forum!

You have a lot of tmp files on your computer in the Windows/System32 folder which were put on your computer on April 13th. Since this was one of the days on which SP3 was released as a Windows update, I think that these files may relate to an unsuccessful update. You also have a file called spdwnwxp.exe which is a process to downgrade an xp sp version. Your computer is still at SP2. Do you know anything about this?

Please do the following:


Running GMER to detect rootkits


Next please download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter ServLess in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

abri

 

I know that I wasn't able to upgrade to SP3, there was some failure or error. I tried it more than once and it didn't work, which is strange because this computer normally doesn't have windows update issues (except for not being able to update Office because I don't have to original disks and it seems there is an issue with the way Office loaded).

I don't know anything about spdwnwxp.exe.

I am attaching an AVG scan from yesterday that shows a lot of malware warnings. I don't know if it will mean anything or not to you. I will do what you requested and reply back.

 

Hi owlbug,

After you run GMER and the Registry Search in post 3, then I would like for you to do the following:

1) Please disable your guest account if that's not already been done.

2) Then go to add/remove programs and uninstall ZoneAlarm.


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\TEMP\7285355b-75f2-4b44-81bd-5df8e8426657.tmp
C:\WINDOWS\TEMP\25ae09c1-2d62-4b25-8975-97eea771a30d.tmp
C:\WINDOWS\TEMP\ZLT0039b.TMP
C:\WINDOWS\TEMP\ZLT003bf.TMP
C:\WINDOWS\AppPatch\SET60B.tmp
C:\WINDOWS\AppPatch\set5e9.tmp
C:\WINDOWS\AppPatch\SET60A.tmp
C:\WINDOWS\AppPatch\set5e8.tmp
C:\WINDOWS\AppPatch\SET609.tmp
C:\WINDOWS\AppPatch\set5e7.tmp
C:\WINDOWS\SYSTEM32\SET3B9.tmp
C:\WINDOWS\SYSTEM32\SETFCE.tmp
C:\WINDOWS\SYSTEM32\SETFAA.tmp
C:\WINDOWS\SYSTEM32\SET52F.tmp
C:\WINDOWS\SYSTEM32\SET514.tmp
C:\WINDOWS\SYSTEM32\SET501.tmp
C:\WINDOWS\SYSTEM32\SET4F8.tmp
C:\WINDOWS\SYSTEM32\SET312.tmp
C:\WINDOWS\SYSTEM32\SET304.tmp
C:\WINDOWS\SYSTEM32\SET230.tmp
C:\WINDOWS\SYSTEM32\SET47C.tmp
C:\WINDOWS\SYSTEM32\SET462.tmp
C:\WINDOWS\SYSTEM32\SET355.tmp
C:\WINDOWS\SYSTEM32\SET2AE.tmp
C:\WINDOWS\SYSTEM32\SET2C2.tmp
C:\WINDOWS\SYSTEM32\SET1EE.tmp
C:\WINDOWS\SYSTEM32\SET3C7.tmp
C:\WINDOWS\SYSTEM32\SET353.tmp
C:\WINDOWS\SYSTEM32\SET352.tmp
C:\WINDOWS\SYSTEM32\SET2A8.tmp
C:\WINDOWS\SYSTEM32\SET3A7.tmp
C:\WINDOWS\SYSTEM32\SET327.tmp
C:\WINDOWS\SYSTEM32\SET51F.tmp
C:\WINDOWS\SYSTEM32\SET508.tmp
C:\WINDOWS\SYSTEM32\SET2E1.tmp
C:\WINDOWS\SYSTEM32\SET20D.tmp
C:\WINDOWS\SYSTEM32\SET3A3.tmp
C:\WINDOWS\SYSTEM32\SET323.tmp
C:\WINDOWS\SYSTEM32\SET2B1.tmp
C:\WINDOWS\SYSTEM32\SET1DD.tmp
C:\WINDOWS\SYSTEM32\SET3AF.tmp
C:\WINDOWS\SYSTEM32\SET333.tmp
C:\WINDOWS\PCHealth\HelpCtr\Binaries\SET633.tmp
C:\WINDOWS\PCHealth\HelpCtr\Binaries\SET655.tmp
C:\WINDOWS\system32\svchosting.exe

REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the 6Combofix log.


Let me know how things are running now?

abri

 

I've completed GMER and Registry Search. Logs are attached.

Thank you chaslang. Abri, I'll do what you recommended next.

 

1) I believe the guest account was already disabled.

2) I uninstalled ZoneAlarm.

3) I don't use Windows Messenger, so I removed it, which took about a second.

4) I ran ComboFix; combofix2.txt will be attached.

5) I ran CCleaner.

6) I ran GetLogs.bat; MGlogs.zip will be attached.

Things seem faster, but am I safe without a firewall? Also, should I leave AVG linkscanner disabled (it leaves a red exclamation on the small AVG icon on the bottom right that indicates that AVG is running in the background)? Should I run an internet video and see how it works and should I try to install SP3 again?

 

Hi owlbug,

I didn't get all the files which needed to be removed. There's a service which still needs to be removed. Please do the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Microsoft Config
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste Win32 USB2 Driverinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

After clicking Fix, exit HJT.

Please run CCleaner and then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

When AVG went from 7.5 to 8.0, they turned their standalone security programs into a complete security suite which includes a firewall. So when you upgraded to 8.0, you ended up with two firewalls.

abri

 

Thank you for your help. Should I reinstate AVG's LinkScanner?

Neither Microsoft Config nor Win32 USB2 Driver were found.

Attaching MGlogs.zip.

 

Hi Owlbug,

Sorry this is taking some time. Please do the following:

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
Microsoft Config 
Win32 USB2 Driver

FILE::
C:\WINDOWS\system32\svchosting.exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run CCleaner at the default setting with the Windows tab as the top one.

Please attach the Combofix log.


Let me know how things are running now?

abri

 

I re-enabled AVG's LinkScanner. The computer seems to be running ok right now.

I am enclosing ComboFix.txt.

 

Hi owlbug,

Good that it's running okay now! Please go through the final cleanup instructions which will remove our tools and logs from your computer and free up some more room. Then I strongly advise starting a thread in the Software Forum, if you have not already done this to find out why your computer can't get SP3 and to get rid of all the renamed files it has on it.

abri

 

Thank you abri. I will go through the Malware protection steps and change quite a bit of the protections I have in place, as that guide seems to recommend. I did System Restore and everything seems to be running better. I will also check out the software board to see if I can get Windows updated. Thanks a lot for all your help.