Sloow Puter. Scan says viruses and spyware

I originally came to this site because my other computer had a virus andtons of spyware that was difficult to get off of my machine, but after following the directions on the first post, I think that issue is resolved.

Well, I decided to check out this computer to see what the deal is and went through all the same procedures. I have done everything except turn off system restore because if i understand correctly, I should not do that until everything has beeen cleaned? Anyway,The bitdefender scan said I had viruses that norton did not pick up. I think it said one could not be cleaned. Panda scan said I had 3 spywares on my machine, but I do not have the $80.00 to buy their product.



Here are my scans...

Thanks in advance!

 

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:

• Click START > My Computer > Local Disc C: > Program Files
• Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:

• Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
• (C:\Program Files\HJT) and click Next.

After you have completed the above steps to relocate HJT, run it from the new location. Please save your HJT log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

After you complete the above, procede with the below...

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

Ok I think I did this right. Now I'm off to run ewido security suite.

 

Download Pocket KillBox
(Don't run it yet)

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\rirr ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\cpbrkpie.ocx into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a fresh HJT log and let me know how things are running.

 

wait, so u dont want me to run ewido? I haven't done that yet, but I was trying to figure out how to delete my norton recycle bin (which i cannnot find). Do i still need to do that?

i have installed ewido already, but u want me to go ahead and uninstall it?

just making sure i'm understanding you correctly

 

I thought you had ran it already, sorry for the confusion. Yes, go ahead and run it, post the log and then procede with the fix.

 

I have norton corporate edition and I can't seem to find the protected recycle bin or whatever it is I am supposed to delete. I found a quarantine folder, but nothing else. Where should I be looking for this?

Sorry for the dumb questions. I appreciate your help

 

The "Norton Protected Recycle Bin" is the Recycle Bin on your desktop, it' just something Norton adds to the Recycle Bin. Personally I would turn that off.

You can also delete the contents from the directory below...

C:\RECYCLER

 

Well, I ran ewido. It's weird cuz my puter seems to be running slower than it did before the scan. Anyway here is the scan report and the new hjt log. Should i go ahead with the pocketkillbox?

Thanks

 

Follow every step in post #4, this should have been done before posting new logs.

 

Ok well I did everything you requested. Two problems though. I could not get ad-aware to do a full scan. It kept stopping after running like 63k files. So finally after like the 10th time I tried it, I tried the smart scan and it worked. But of course it didn't check everything. Also spybot was not able to remove two of the 3 problems I have on my computer because it says file is still in use in memory or something. I saved the log so you can take a look. Let me know if you want me to attach that later. Here is my new HJT log.

Thanks

 

Your HJT log is clean, attach the Spybot log so I can see what couldnt be fixed.

 

Yay me! Thanks so so much.

Would you mind taking a peek at my hjt log from my other computer? i am no longer experiencing any issues, but I know how these little pests can hide and attack again. It's a new computer with pretty much nothing on it so it shouldn't be a real long log. Lemme know and I'll post it from that computer.

Anyway, here's the spybot log

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Click Start > Run > type services.msc and Click OK

Locate cmdService and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

cmdService

You may be told to reboot at this point. Reboot and let me know how things are running.

 

I can't find cmdservice on that list?

 

Does Spybot still detect it?

 

well i havent done anything differently since I ran it the last time, but I'll check it again

 

Okay, run another scan and let me know if they are still there. If so we will have to take control of those keys and manually delete them.

 

it's still there. spybot caught a few others and was able to fix those, but couldnt fix the one. here is the log...

 

Click Start > Run > type in regedit

Manually navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Right click on cmdService and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit.

Now right click on "cmdService" and delete it. If you get any errors let me know!

Now do the same for the key below:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Right click on cmdService and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit.

Now right click on "cmdService" and delete it.

After you complete this, reboot and see if Spybot still detects these entries.

 

OK, I am all clean! No threats found! If you want the logfile, I'll post it.

Thank you so much for your help. You're the bestest, bjgarrick!

 

Did you find the entries?

 

Well i found it in the first location, but not the second. I even checked controlset002 i think it was called, but it wasn't there either. I followed your instructions and got rid of it. Spybot came back clean both before the reboot and after.

Now should I disable the system restore and what not?

 

You did find it here?

Yes, I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

 

Yes, I think it was there that I found it.

 

Okay, reason I ask is because I am trying to find out if this is a real problem or a false positive from Spybot.

Anyway, after you flush your system restore points, reboot and let me know how things are running and if any problems remain.

 

Well maybe it's still a little slow, but not nearly as slow as it once was. I went and bought a whole new computer because I couldnt deal with it. No that this computer is any faster. It actually has less memory.

I can definetly see a difference though. Thanks again!

 

You should see this article on How to Protect yourself from malware!

Surf Safely!