tonyst

Problem Description
All the sudden yesterday my XP laptop started running at a glacial pace, for no apparent reason. The fan runs continuously, the processor activity is high (20-100%) without anything running. Rebooting doesn't help. When I access the hd from another machine on the network it seems to write normally. The machine boots normally, but as soon as the desktop appears it starts to bog waaaaay down. Not much disk activity, no network activity, but the processor and fan are running constantly. Just opening a drop-down menu is a several-second wait. Everything works, just painfully slowly.

Basic Info
I have a 2 year old dell Inspiron 8600 laptop running win xp sp3, 2 gb ram, 80 gb hd with 12 gb free. I have Kapersky antivirus, hardware firewall on a network (software firewalls in kapersky and windows turned off). It's a work machine with only one game on it (installed a year ago). I run mostly biz software -- office, adobe creative suite, etc.

What I've tried

• Cleaned out the fan and vents as best I could without taking the whole thing apart
• ran a virus scan -- nothing
• Downloaded and Ran malwarebytes -- it found one trojan horse and removed it, but that didn't seem to fix anything
• I went back to a restore point several days ago, and it said there were no changes so it couldn't restore anything
• first turned off, then tried Reinstalling windows update -- some posts indicated that might be the problem. No change.
• Removed all temp files
• Started machine in diagnostic mode without all the startup items, and it still ran just as slow
• Found I still had an old norton live update on the machine and removed it

Recent activity (in the last 2-3 days before this happened)

• Deleted a bunch of files to create hd space
• A sound driver disappeared and I had to reinstall it
• Added two new computers (one brand new and one with a clean OS install and hd reformat) to network
• Had problems with an acrobat 8 update -- crashed in mid update. The program ran fine, but I ended up deleting the program to see if that was the problem (no joy) and have yet to reinstall it
  Installed cobain backup (shareware), it worked fine for a few days before this happened. Have since uninstalled -- no help

Here's the DDS log -- the gmer log is attached. I have hijack on the machine -- if you want that just ask.

----

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Cobian Backup 9] "c:\program files\cobian backup 9\Cobian.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 7.0\ie_banner_deny.htm
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 7.0\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 112144]
R1 klif;Klif;\??\c:\windows\system32\drivers\klif.sys [2007-6-27 194320]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys []

=============== Created Last 30 ================

2008-12-03 15:05 250 a------- c:\windows\gmer.ini
2008-12-03 09:36 <DIR> --d----- c:\docume~1\tony\applic~1\Malwarebytes
2008-12-03 09:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-03 09:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 09:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-03 09:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 09:06 <DIR> --d----- c:\windows\pss
2008-12-02 19:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AcrobatInstall
2008-11-29 16:00 <DIR> --d----- c:\program files\Cobian Backup 9
2008-11-12 08:59 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 08:58 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-12-03 13:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2008-12-03 13:07 <DIR> --d----- c:\program files\Symantec
2008-12-02 13:31 72,062 a------- c:\windows\system32\nvModes.dat
2008-11-29 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RetroExp
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 13:51 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-03-25 12:46 <DIR> --d----- c:\docume~1\tony\applic~1\Intuit
2008-01-04 16:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Applications
2007-12-22 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2007-09-06 19:39 <DIR> --d----- c:\docume~1\tony\applic~1\Steinberg
2007-04-02 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2007-03-08 14:22 <DIR> --d----- c:\docume~1\tony\applic~1\Hemera
2006-12-19 09:04 <DIR> --d----- c:\docume~1\tony\applic~1\Libronix DLS
2006-12-19 09:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Libronix DLS
2006-12-14 10:26 <DIR> --d----- c:\docume~1\tony\applic~1\Intel

============= FINISH: 17:08:22.17 ===============

Attached Files

	Attach.txt (8.7 KB, 2 views)
	gmer2.txt (1.9 KB, 4 views)

ndmmxiaomayi

Hi tonyst,

Step 1

Please disable Kaspersky Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before posting back the logs.

Please navigate to the system tray on the bottom right hand corner and look for a sign.

• Right click on it and select Pause Protection.
• Select By User Request.
• A popup will now show that Kaspersky Antivirus is disabled and a sign like this will now be shown.

Step 2

Please download Combofix from one of these locations:

Link 1
Link 2
Link 3

Save it to your desktop.

• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.
  
  
  
  With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

tonyst

I've attached my comifix log.

I tried a whole bunch of things last week and the problem went away temporarily -- only to be back again this morning. I'm not sure what I did that made the difference, or if I actually fixed anything. One thing I am considering is if it is the windows update or adobe updater -- I reinstalled windows update and uninstalled adobe acrobat 8 before things got back to normal, but when I reinstalled acrobat 8 it didn't seem to upset things. I ran another malwarebytes scan and got nothing.

I'm going to try uninstalling acrobat again.

Tony

Attached Files

combifixlog.txt (11.1 KB, 3 views)

ndmmxiaomayi

Hi tonyst,

Update Java Runtime Environment (JRE)

Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 11.

1. Click on Start > Control Panel and double click on Add/Remove Programs. Locate Java(TM) 6 Update 3 and click on Change/Remove to uninstall it.
2. Repeat for these old versions of JRE:
   • Java(TM) 6 Update 5
   • Java(TM) 6 Update 7
3. Click here to visit Java's website.
4. Select Windows from the drop-down list for Platform.
5. Select Multi-language from the drop-down list for Language.
6. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
7. Click on jre-6u11-windows-i586-p.exe link to download it and save this to a convenient location.
8. Run this installation to update your Java.

Run an online scan

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
   
   
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

In your next reply, please post back the Kaspersky Antivirus scan report.

tonyst

what's the difference between running a scan from kapersky on-line vs the copy on my laptop? (Just wanted to ask first -- the scan will take all day at the pace this thing is running).

ndmmxiaomayi

Online version doesn't remove any baddies found, and is useful for us mainly. You can use the copy that you have if the online version is taking a very long time.

tonyst

I had kapersky running on the machine, up to date, and have scanned it since the problem showed up. I found nothing. Should I do it again just for the report or something?

ndmmxiaomayi

Yes, please do.

tonyst

ok -- I'll get back to you.
By the way, I boot the machine into the bios settings program, before windows even starts, and still have the same the same problem.

ndmmxiaomayi

Please post another Gmer log after Kaspersky has finished scanning.

tonyst

I've attached the kapersky on-line scan log (it only took about 20 hrs!) There were two outlook viruses - I don't use outlook. The gmer log is still running.

Attached Files

kaperskylog.txt (1.1 KB, 1 views)

tonyst

here's the gmer log.

tony

Attached Files

gmerlog.txt (625.8 KB, 3 views)

ndmmxiaomayi

They are in your backup folder. Does anyone else use Outlook and back up Outlook regularly?

Your Gmer log doesn't look good, let me ask around first.

tonyst

No -- that's from years ago when i used to use outlook. Those files are actually from my previous computer.

tony

ndmmxiaomayi

Hi Tony,

1. Please download runscanner.zip and save it to your desktop.
2. Right click on runscanner.zip and Extract All....
3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
4. Click on the Browse button. Click on Desktop. Then click OK.
5. Check (tick) the Show extracted files box and click Finish.
6. Double click on RunScanner.exe to run it.
7. Select Beginner Mode and click OK.
8. Uncheck Online malware analysis (optional) box and check the rest of the boxes.
9. Click on Scan computer at the top left hand corner.
10. When done, it will prompt you to save .RUN file. Save this file as rs.run to your desktop. It will save prompt you to save a log. Save this log to your desktop as well.
11. Zip rs.run and attach this file in your reply.