Is this PC clean now?

My friend brought me her computer to look at it for her. When I recieved it, it would not load the desktop. I tried task manager explorer.exe but it still didnt show up. I tried everything from right clicking on the desktop to see if anything showed up, but to no avail! Finally I got the pc to load up safe mode (took forever to load that!), which it was loading the desktop, but would freeze. I kept messing around with restarts into normal mode, then one time explorer.exe was present in task manager but the desktop still wasn't showing. I ended the explorer process, and then ran new explorer.exe, IT WORKED! Not sure what the difference was? I then decided to come here and run the READ AND RUN ME FIRST. It took a loooong time to get these logs, but they are attached! Please if anyone could look at these and let me know what my next step would be. Thanks in advance!

 

Here is the other log!

 

Hello pshs2k2,

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• My.Freeze.com NetAssistant

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\program files\Convert.exe
C:\WINDOWS\explorer.exe
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\LocalService\Local Settings\Application Data\assembly
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft_Corporation\C__Program_Files_Recipe_F_Path_githfod3rkouzetssskmmb05bfeyk1vf
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{62ADFB9F-C4B1-4253-A2CE-5CF84E7DE4F2}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{840A55B1-73C9-4035-8A32-116ECAF73946}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E2B392D1-4561-426C-A687-00769C36C0B1}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A83EE083-0342-4A16-972D-046996C8BD5E}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

Here are the requested logs. When I ran the script, combo still found a rootkit and needed to reboot! This still scares me a little bit because I thought it got rid of it earlier? Thanks for your time so far and I know we can get this thing taken care of!

 

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img862.imageshack.us/img862/8218/win32kdiag.gif Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach)

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

Here are the three requested logs! I hope they came back OK! Please let me know. Thanks a lot so far!!

 

I am not seeing any rootkit activity in your logs. Did ComboFix say which type of rootkit you were infected with? The script I gave you is intended to reboot your PC. This alone does not mean you are infected with a rootkit.

Your latest logs are clean. Are you having any problems with the PC?

 

Combo did not say what kind of rootkit, it just said something about rootkit activity and that it needed to reboot windows. It did it's reboot. Then, when it rebooted the pc for a second time (probably the one you scripted for?), it froze on "windows is shutting down". I left it there for about 40 min to see if it would work, then decided to reboot by pressing reset. After that, combo then finished the log and such. The computer is doing a lot better now!! You all are the experts, so I trust your judgement. :cool

 

http://img194.imageshack.us/img194/4930/combofix.gif Can you delete your old copy of ComboFix and then download a new one from here. Then run it without using any type of script. Let me know if it still reports rootkit activity and then attach the latest ComboFix.txt.

 

Do I just put the exe in the trash bin? Will that delete it or is there something special to do?

 

Yes you can put it in the trash bin, that's fine.

 

Yes, it still said "Combofix has detected the presence of rootkit activity and needs to reboot the machine". After reboot, I also got another new message "PEV.exe has encountered a problem and needs to close, We are sorry for the inconvenience". Not sure what that has to deal with? Gonna get some :zzz for now, be back tomorrow! Just let me know what to do next! :major Here is the log..

 

pev.exe is a program used in ComboFix.

Just to be on the safe side, I'd like you to to scan with Eset Online Scanner.
Remember to attach your log from the scan when finished. (How to attach)

 

Here is the ESET log!

 

This log is clean as well as the rest of your logs.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thanks for all your help! The computer seems to be doing better now and I did the cleanup procedures. I do have something else to ask about. Internet explorer will not let me go to the bleepingcomputer website. I think that is the only website it won't let me enter, but i'm not sure. It keeps saying that internet explorer has encountered a problem and needs to close. I can enter the site fine with firefox! Could this be related to any malware? What can I do to try and connect it to this site? :confused

 

Sounds more like a problem with Internet Explorer. Give the below a try.

http://img141.imageshack.us/img141/1999/cipi.gif Please download Complete Internet Repair and unzip the contents into a folder on your desktop.

• Run CIntRep.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• Place check-marks in the following:
  • Reset Internet Protocol (TCP/IP)
  • Repair Winsock (Reset Catalog)
  • Flush DNS Resolver Cache
  • Repair Internet Explorer 8.0.7601
  • Repair SSL / HTTPS / Cryptography
  • Restore the default hosts File
• Then press the Go! button
• Allow the PC to reboot.

Another thing you should do, if you have not done so already, is upgrade to Windows XP Service Pack 3.

 

Ran complete internet repair, rebooted. It still doesn't let me go to that site. Anything else I could try? Also the internet is very slooooow! I will install sp3 tomorrow.

 

I am not sure on why you would be blocked just from bleepingcomputer.

You have some bigger problems though:

Code:

Processor	x86 Family 6 Model 3 Stepping 0 AuthenticAMD ~[B][COLOR="Red"]655 Mhz[/COLOR][/B]	

Total Physical Memory	[B][COLOR="Red"]320.00 MB[/COLOR][/B]	
Available Physical Memory	202.63 MB	

This PC must be nearly 10 years old. Time for an upgrade

 

Yes, it is 10 yrs old! It is painful to work on. lol I'm trying to get her to let me build her one, but she's stubborn I'm not sure why its that website either, it could be more. Could it be certain sites that "help fix" computers? Here is the link after I get the error.
res://ieframe.dll/acr_error.htm#bleepingcomputer.com,http://www.bleepingcomputer.com/ If you can sort that out?

 

Try the following: http://support.microsoft.com/kb/923737
Use the Fix It tool from this page.

 

Thanks for that! I'll try it in a little bit. Right now i'm upgrading it to sp3 but it seems to be stuck on "Performing Cleanup" about 3/4 of the way installed. I hope it doesn't screw everything up if i do a manual restart. What do you think? Thanks!

 

Hold off on doing a manual restart. It should not freeze up, just may take a lot longer due to the system specs.

 

Well, it definitely froze on the cleanup procedure! Waited 1 1/2 hrs for it to do its thing. I also ran the Internet Repair process you gave me, still didn't fix the website problem. I won't worry about that part anymore. What concerns me more now is that the pc runs a lot slower after we did the malware removal process than it did before hand. I know it's an old computer but it just wasn't this slow before. It will take about 3 min for internet explorer to open after it has been clicked on. Are there any different logs you could look at that may tell more? Sorry to keep bothering you but it's rediculous! Thanks again for all you guys do on here. :dood

 

No problem.

The only thing we changed that may have affected PC performance is showing all startup processes.

Go through this thread: How to deal with startup processes - do not use MSconfig

 

That was a bunch of confusion! :-o Is there any way you could possibly sort this HJT log out and give me some input?

 

I am not sure what you are requesting. There isn't any malware in this log. Do you want me to give you some instructions to remove some unnecessary startup items? The problem with me doing this is that I do not know what YOU want to have starting up automatically and what you do not want.

 

I just need avast and malwarebytes starting up automatically, and I don't know of anything else that I couldn't just manually start when needed. I'm just afraid that I will disable something needed to boot windows.

 

I would not even recommend running an antivirus with such a low amount of memory. This is the main reason why the PC is slower than before. Because in your first set of logs, you did not have an antivirus installed.

I will give you some recommendations on how to speed things up a bit but it may not be enough to notice a difference.

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img825.imageshack.us/img825/2648/hjt.gif Run HiJackThis
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Treasure%20Masters,%20Inc/Images/stg_drm.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1229357477231
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Treasure%20Masters,%20Inc/Images/armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

 

You are right, this is the best a pc will be with these specs I had fogotten about not having an av installed before! I will let you be now, thanks again for all you do! :wave

 

No problem. Surf safely!