Messed up XP laptop

Problems:
-Very slow to nonexistent log-on to IE.
-Very slow page swaps navigating in Windows.
-Windows blue Stop pages.
-Multiple malware problems I think I've cleaned only to find more.

I loaded and ran everything I could from forum thread 35407

-Ewido Security Suite scan was balky and stopped about 90% complete with blue stop screen:
IRQL_NOT_LESS_OR_EQUAL
Stop: 0x0000000A (0xE2A1D4EO, 0X00000FF, 0X00000000, 0X805E42A1)

-Housecall found no issues

-RAV found
C:\WINDOWS\bundles\shopinst.exe_ -TrojanDownloader:Win32/Small.ZT

-Trojan Scan found Adware.Altnet.a in
c:\program files\yahoo!\YPSR\Quarantine\ppq41.tmp\adm4.dll

-Couldn't load Panda (net connection issues?)

-Adaware SE found no problems

-Spybot didn't seem to load right, popped up an error box titled "Fehler" with the message "Tools.dll not found in !"; reported "CLSID database not found"; ran an incomplete scan with no threats found.

-Yahoo Toolbar Antispy found Apropos dialer in hkey_local_machine\software\aprps\client

After completing all this and rebooting to safe mode, the startup programs seemed to drag and it stopped to another blue screen with a different stop code:
IRQL_NOT_LESS_OR_EQUAL
Stop: 0x0000000A (0xE2969CDC, 0x000000FF, 0X00000000, 0XFF725F1B)

Rebooted and no blue screen but I can't get on the net. I'm sending this via another computer and transferring files via USB memory stick.

Maybe too much info for this msg but I'm not making any progress. Thanks for your assistance.

 

IRQL_NOT_LESS_OR_EQUAL is usually caused by an IRQ conflict between hardware devices, also can be caused by corrupt drivers.

Your HijackThis log appears to be from Safe Mode, we need a log from Mormal Mode to see what, if any Malware infections you have.

 

New HJT log from normal mode.

 

You can have HijackTHis fix the following:

O4 - HKLM\..\Run: [v3mP36S] tsblp30e.exe <---- Do you know what this is? I can't find any information on that file.

 

Fixed those 4 lines, rebooted, running much better. Navigation is faster and I'm actually on the net. New HJT log atch if needed.

I still seem to have odd programs running. One shows up in the ZoneAlarm log with a program name comprised of odd characters like the yen sign, an a with circle above and rectangles Any ideas?

I plan to install SP2, do housekeeping like defrag. Any other suggestions?

Oops, spoke too soon. No joy when I click Manage Attachments. Let me know if new HJT log needed.

Thank you for the help!

 

Make sure you have done the following:
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Now boot to Safe Mode

Using Search in the Start Menu, search for tsblp30e.exe and delete every instance of the file.

Reboot to Normal Mode and post a fresh HijackThis log.

 

Did not find that file. HJT attached.

 

Your log is clean. How is your computer running?

 

Slow page swaps.

The following programs attempt to connect to the net, but are blocked by Zonealarm:

Æå}ٱٱ

ٱٱٱ

oån ٱٱ

!

Thanks for the rapid responses.

 

What's the best start-up and running process analysis with advice on what to kill?

 

Please post a new HJT log as an attchment.

 

HJT log as requested. BTW, I still get "error on page" when clicking the manage attachments button.

 

Did you intentionally install Ewido to this location C:\Documents and Settings\Administrator\Desktop\spyware & virus security\security suite\ewidoctrl.exe

Please follow the instructions in the following threads:
How to view hidden, system files & folders!
Running Ewido Security Suite

Post the Ewido log when done.

 

I did intall Ewido there. Should it be elsewhere?

 

Typically Ewido would be installed in C:\Program Files\Ewido or similar.

 

Ewido log.

 

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

WinPFind log.

 

Using Add or Remove Programs in the Control Panel uninstall ShopAtHomeSelect Agent or similar sounding entries; then restart the computer.

Run WinPFind again and post the log.

 

Nothing like that in Add or Remove.

 

Boot in to Safe Mode.

Open Windows Explorer and delete the following:

 

Done.

 

I also saw C:\WINDOWS\SYSTEM32\fiz1, 2, 8, 9, 10, 11 and 12.
Any concern?

 

Get rid of those also

 

Done.

 

To do some final cleanup

Run Regedit and delete the following keys/values

 

Didn't find any of those.

 

Download and install
- ExplorerXP

OK, let's look and see if there are any residual files on the system.

Using ExplorerXP look for and delete the follwing if they exist:

 

By "systemroot+" I assume you mean "C:\Windows"

Don't know what "profilepath+" is.

Couldn't find any of the listed entries.

I did find lot of files in C:\Windows\bundles that appear to belong to adware including sahagent-dectest1001.exe, sahagent-onlinetrafficbroker1001.exe and sahagent-seedcorn1002.exe.

I'll send the whole list if you tell me how to get it on notepad or another transferrable method.

 

Profile Path would be C:\Documents and Settings\YourUserID.

Delete the folder C:\Windows\Bundles and everything in it.

 

None of the listed files in C:\Documents and Settings

Deleted C:\Windows\Bundles and everything in it.

 

Post a fresh HijackThis log.

How is your compter running?

 

HJT log attached.

I still have slow page swaps, frequent "page not found" errors on IE, "error on page" when clicking Manage Attachments here. I am still saving logs on a memory stick and responding on another computer.

 

Your HijackThis log is clean.

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

Can't scan with Panda - get "error on page" when clicking scan button.

While opening/running Find_Qoologic a DOS-like window opened asking me to wait on a text. Then a Windows message window popped up with "WMI Not Installed" and wants me download "WMI" from tinyurl.com/7wd7. Does that sound right?

 

WMI is the Windows Management Instrumentation go ahead and download and install.

 

The Microsoft site says the download takes no more than 8 minutes.

I've been waiting an hour with a window displaying:
16 bit MS-DOS Subsystem
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

The hard drive light flickers occasionally. Do I let it run?

 

Exit the program.

Follow the instructions in the attached document to fix the 16-bit MS-DOS Subsystem error.

 

I got config.nt, autoexec.nt and command.com expanded from the XP setup disk.

Now when I try to download WMI core 1.5, I get the following dialog box:

Unsupported Platform
This version of the WMI Core Components is only supported on Windows NT 4.0 ServicePack 4 or later versions of Windows NT 4.

Different WMI version needed?

 

It's for Windows NT w/SP4 or greater. So, you should be able to install it.

 

"...should be able to install it..."?
Then I'm doing something wrong.
I saved it as c:\windows\system\wmint4.exe
When I double click on the icon I get the same Unsupported Platform msg and nothing happens.

 

Forget the Qoologic tool for now.

Post the RKFiles log.

 

rkf log attached.

 

There is nothing in any of the logs that would lead me to believe that there is an infection.

Have you tired to run Windows Update and bring your system up2date.

 

No, but I will.

 

Installed SP2 and all updates.

Still have slow reaction time after clicking icons.

Get "error on page" when clicking Manage Attachments button on this forum and "start scan" on Panda on-line scan.

New Windows Firewall says it can't run.

I have Qoologic file.txt if it is of any value now.

 

Qoologic-Finder report.

 

You don't need the windows firewall, make sure you disable it.