Hello,

I think I had some bad ware on my computer but I thought I got it all off but I guess I didn't... Anyway, I re-formatted this evening after for about 2 or 3 weeks of going slower and slower. Everything went fine, but about 30 minutes or an hour it all of a sudden started like starting and stopping, almost like slipping and sticking friction wise. Sometimes its slow... Iv'e noticed, that I have more svchost.exe and I think one more explorer.exe. I ran Malwarebytes Anti-malware and it fount 5 baddies, and I deleted them all. I re-started and all was going good until like maybe 10 or 15 minutes and then it started doing like it was before, and the baddies came back. And it's slow on shut down too


I will put my Malwarebytes Anti-malware log and my HJT log.


Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

11/1/2009 1:22:23 AM
mbam-log-2009-11-01 (01-22-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 56967
Time elapsed: 15 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\WINDOWS\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{y479c6d0-otrw-u5gh-s1ee-e0ac10b4e666} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:00 AM, on 11/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system32\explorer.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
c:\windows\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\windows\system32\vttimer.exe'
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FlashGet Network\FlashGet 3\Flashget3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\FREEDO~1\fdm.exe

F2 - REG:system.ini: Shell=C:\WINDOWS\explorer.exe c:\windows\system32\explorer.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Documents and Settings\Home\Application Data\FlashGetBHO\FlashGetBHO3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\RunOnce: [Explorer] c:\windows\system32\explorer.exe RO
O4 - HKLM\..\RunOnce: [Svchost] c:\windows\svchost.exe RO
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All By FlashGet3 - C:\Documents and Settings\Home\Application Data\FlashGetBHO\GetAllUrl.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download By FlashGet3 - C:\Documents and Settings\Home\Application Data\FlashGetBHO\GetUrl.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA63A28A-E34E-4B49-A236-136840D8CF76}: NameServer = 76.164.173.1 76.164.173.2
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5774 bytes


I hope you can help, Thank you
Michael

This post has been edited by Rhineus: Nov 1 2009, 08:50 AM

What is FDD?

This post has been edited by Rhineus: Nov 7 2009, 03:07 PM

Hi

FDD=Flah Drive Disinfectoer. I gave you the link and some information in my last post. It will put a binign (safe) autorun.inf folder on all of your drives. It will help prevent bad files from running when the drive is attached.

Ok, so a clean format and install (XP and my portable/external HD) will get rid of the virus? What if I still have the virus after format/install? I don't know how many installs of XP I have left. Can you back up XP on a separate CD or drive so that if you get infected again, you can re-install without the need of the XP install disk? And, what kind of security do you have on your computer? I'm sorry I'm asking all these questions but I don't wont to have to go through this again...

Hi Rhineus,

A reformat will remove everything from the HD. Make certain your external drive is clean before moving anything from it back onto you computer. You can scan the drive at Kaspersky.

That would indicate some of your backups are infected.

I don't quite follow. If it's a retail version of XP there shouldn't be any limits.

You could look at investing in a drive imaging program such as Acronis True Image, Noton Ghost etc. Once you are sure the computer is clean, make an image. It's usually quicker replacing the image than reinstalling. The disadvantage would be your computer would return to the state that it was in on the date you made the image. Mos of these programs can also be used to update the image. Depending on how often you update the image would determine how much data you would lose.

This is a very old computer and won't handle much. I have an antivirus, on demand anti-malware program and a firewall. I'm also behind a router. Missing is a real time antispyware program, but I don't think the old girl could handle it. There is also no P2P programs of any kind, I don't allow them.

Get reformatted and come back here. I can give you some tips on security programs and keeping safe.

No problem. I will try to answer you as best I can.

Ok, thanks a lot oldman... I will re-format and install, I think maybe tomorrow or the next day. I got to make sure that there isn't any exe, zip, rar ect. on my external HD. Then take it to my other computer and dump my documents onto that computer and then format my external HD from that computer.

Ok, just make sure it's absolutely clean before attaching it to another computer or you may have 2 infected ones.

Ok oldman, I re/formatted and installed

Hi Rhineus,

First and formost, make sure you get an antivirus program installed. If you haven't done so, you can download and install one of these free ones.

Avast
Help and support can be found here Avast Forum
AVG
Help and support can be found here AVG Forum
Antivir PersonalEditionClassic
Help and support can be found here Avira Personal Support Forum

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates.

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Use the following links to get at least the basics installed.

You can find some very good tips and free programs that will help keep you safe Here. This includes programs such as antispyware and firewalls.

More can be found HERE

Everything still ok?

Thanks

Thanks oldman,

Yes, everything is going good... just need some good security and with your help I will be able too :-) Can you tell me what you think is the best free antivirus and firewall is?

Which should I get just IE-SPYAD or IE-SPYAD for ZonedOut?

This post has been edited by Rhineus: Nov 13 2009, 03:57 PM

Hi

They all have their strong points. I'd give Avast and PCTools firewall a shot.

Either one, though the second one might be easier to set up.

Sorry to be a N00b but what is a resident antispyware program and on demand antispyware program? There are SO many free security programs out there that it gets me overwhelmed, even the links you gave me was too much... I don't really know what to download.

I've been trying to find a good combination of basic security programs (Tell me if I have to much protection or not enough protection... probably not enough)
malwarebytes'
pc tools firewall
avira (in process of downloading Avast)

Hi Rhineus,

Resident antispyware program

Is a program that will scan in real time.In other words the scanning will take place while the files are being accessed.

Examples

Windows Defender and Spybot with TeaTimer enabled.

On Demand antispyware

You need to start the scan manually. Your computer or the area you select will then be scanned.

Examples

Free versions of Superantispyware and MalwareBytes AntiMalware (MBAM)



You have
- an On Demand Antispyware/Antimalware (MBAM, a very good one by the way)
- a firewall
- an antivirus program (Avira)

Do not install Avast if you all ready have Avira. 2 antivirus programs are not beter than 1. They will conflict with each other, cause system slow downs. The conflicts could also leave you with reduced protection. If you would rather use Avast, then uninstall Avira first.

Add either Spybot or Windows Defender to the mix and that part should be good.

Ok thanks oldman... I will uninstall avira

Do you think I should uninstall threatfire (since I installed it or leave it be)?

(I know this is offtopic) I don't know if you know or not but is "Macrium Reflect Free Edition" is a good disk imaging software and "EASEUS Partition Manager Master Home Edition" good partition manager? Like I said before, I don't wont to lose all my programs to reinstall or virus.

This post has been edited by Rhineus: Nov 15 2009, 10:04 AM

Hi Rhineus,

Threatfire should be ok if it is the only resident antispyware program you install.

The best place to ask about Disk Imaging software would be here

Ok thx again...

This post has been edited by Rhineus: Nov 15 2009, 11:07 PM