Problems after running ComboFix & Winsock XP Fix; System is REALLY SLOW now

Discussion in 'Malware Help (A Specialist Will Reply)' started by BBCMember, Oct 25, 2010.

  1. BBCMember

    BBCMember Private E-2

    There are a few things wrong with this system. I probably should post them in a separate post, but I'll try one big post first and see how that works out.

    The problems all started when there was a message that kept popping up:

    "Generic Host Process for Win32 Services has encountered a problem and needs to close"

    And when my client would click "Send to Microsoft" the computer would lock up and he'd have to do a hard reboot. Then he figured out that if he hit "Debug" that it would not lock up.

    In any respect, we did some research and found out that it might be malware/spyware.

    So here is what we have done so far:

    - Ran Spybot
    - Removed threats (don't know how many; I was not there when the client did it)
    - Ran MalwareBytes
    - Removed three items
    - Computer ran fine
    - Ran scan with SuperAntispyware
    - Found over 600 bad cookies
    - Removed them

    Then my client uninstalled TrendMicro Security Suite, which was a bit quirky. He said TrendMicro's site said to use the removal tool on the site to uninstall it. Then when he used the tool, the tool said to uninstall it via add/remove programs unless there was an issue. So he just used the tool anyway. But there are remnants of it still around. Most notable of the remnants are the extra network drivers in Device Manager. They mention TrendMicro as part of the driver name. So instead of one network driver for the NIC, there are two, and it is the TrendMicro one that works, not the plainly named one.

    When we disabled the TrendMicro network NIC driver, there was no longer a LAN connection OR a 1394 connection in Network connections, even though we just disabled the LAN connection. So we enabled the TrendMicro network driver again, and there is STILL no LAN connection nor is there a 1394 connection in Network connections. Anyone ever experience this? Solution?

    Continuing on…

    - Installed ESET NOD32 (was not connected to the Internet at that point, so it was not updated)
    - Ran ComboFix
    - ComboFix said there was a root kit issue and asked to reboot
    - It also asked to install the Recovery Console, but it couldn't because it was not connected to the Internet
    - Rebooted
    - It scanned again and took care of some files (see log attached)
    - Still no Internet, not sure if it had slowed down yet, because my client ran Winsock XP fix right after it
    - Ran Winsock XP Fix 1.2 (got it from from MajorGeeks.com)
    - After reboot, became REALLY slow, but again, it might have become slow after running ComboFix; not sure
    - Ran HijackThis (see attached log)

    WHAT IS HAPPENING NOW

    It runs REALLY slow
    It won't RIGHT-click on My Computer (the menu does not pop up)
    Have to click START>RIGHT-click My Computer in the start menu and go to Properties to be able to go to Device Manager
    Hour glass is appearing after every action and is very slow in completing each action

    Also, the Help Center is not working
    Since there is no Internet still, I had my client go into Device Manager to see if the driver was still there or if it was working correctly
    It said there was an issue with the TrendMicro NIC driver, so we selected to troubleshoot it, and that's when it said the Help Center was not installed
    We then tried to reinstall the Help Center via these instructions:
    ---------------------
    Go to Start >> Run and type in: helpctr -regserver*
    To reinstall Help and Support:*
    Go to C:\Windows\inf\pchealth.inf.* Right-click and choose install. Have your XP CD available.
    *
    Note: The folder is hidden by default. Go to Start >> Run and type in: control folders. View: Show hidden files and folders and uncheck "Hide extensions for known file types".
    ----------------------
    However, when it attempted to copy over the files from the XP SP2 CD, it said that it was copying over the file hlpcentr.exe (located on the computer) with helpcentr.ex_ (located on the CD). What's with the underscore instead of the letter "e"? There were several files with an underscore. Is that normal? Since I did not think it was safe to mix and match the help center from the disk (XP SP2) with the current installation (XP SP3), I had the client cancel it. However, I'm not sure how much of it installed, nor am I sure if the cancellation will reverse everything that was done in the installation attempt, or if it will just stop where it left off. Anyone know?

    One good thing about all of this is that the "Generic Host" popup has not popped up since he ran the MalwareBytes scan.

    The logs for both ComboFix and HijackThis are below.

    Thanks for the help!

    -----------------------

    COMBOFIX LOG
     

    Attached Files:

    Last edited by a moderator: Oct 25, 2010
    BBCMember, Oct 25, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes.

    Hmm, I am not sure about this, let's make some progress first with malware removal.

    Let's start by having you complete the rest of the procedures which I will link to below for reference. Also don't forget to attach logs from MBAM/SAS.

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    Kestrel13!, Oct 25, 2010
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds