Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Poor performance and MSE issues

This is a discussion on Poor performance and MSE issues within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hello, I am trying to resolve an issue on my parents PC. It had been getting slower and slower, coming


Closed Thread
 
Thread Tools Search this Thread
Old 09-26-2016, 02:14 PM   #1
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



Hello,

I am trying to resolve an issue on my parents PC.

It had been getting slower and slower, coming to an almost dead stop last week. I regulalry got asked to check things out, which usually meant allowing the pc to do updates for Windows / Java / Microsoft Security Essentials.

Most recently, MSE kept cleaning and freezing the whole machine. I booted into safe mode, downloaded Malwarebytes and cleaned some trojans and ran MSe in safe mode, which was fine.

However, as soon as I booted normally, MSE would start cleaning and hang the whole machine.

I managed to stop MSE via msconfig, but windows update wouldn;t work and any links to Microsoft knowledge base artciles would just re-direct to the MS home page, I knew something was up.

I'm hoping you guys can help, I attach the DDS logs as requested. I await your advice.

Kind Regards
Jamie McDonald

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16811 BrowserJavaVersion: 11.101.2
Run by McDonald at 22:02:26 on 2016-09-26
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.2262.1747 [GMT 1:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: WebCGMHlprObj Class: {56B38F40-4E70-11d4-A076-0080AD86BA2F} - c:\windows\system32\cgmopenbho.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_101\bin\ssv.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_101\bin\jp2ssv.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Application Restart #0] c:\program files\windows media player\wmpnscfg.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService] <no file>
dRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001067-0002-0067-ABCDEFFEDCBC} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{53C9F8AE-1C0C-434C-A9B3-5E2A4664294E} : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{B262F103-76FD-4475-9E0D-9A0CB14569D9} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{B4358EBE-F760-4AA7-9DD9-468AE35A8BFE} : DHCPNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2014-11-26 45736]
S0 RapportHades;RapportHades;c:\windows\system32\drivers\RapportHades.sys [2016-9-12 101992]
S1 RapportCerberus_1609053;RapportCerberus_1609053;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_1609053.sys [2016-9-20 775592]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2016-9-12 328808]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2016-9-12 407880]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-12-6 209408]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2013-12-6 276992]
S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2013-9-20 50432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-16 21504]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2014-5-6 395640]
S2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files\kodak\aio\statusmonitor\EKPrinterSDK.exe [2013-12-11 780152]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2016-9-12 2387952]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2013-7-5 75264]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2014-8-16 18944]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2016-9-12 257608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2014-4-11 772296]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-7-14 80744]
.
=============== File Associations ===============
.
FileExt: .inf: inffile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2016-09-20 21:43:14 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-09-20 21:42:41 53120 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-09-20 21:42:41 24448 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-09-20 21:42:41 126336 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-09-20 21:42:40 -------- d-----w- c:\programdata\Malwarebytes
2016-09-20 21:42:40 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2016-09-12 19:21:00 257608 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2016-09-12 19:21:00 101992 ----a-w- c:\windows\system32\drivers\RapportHades.sys
.
==================== Find3M ====================
.
2016-09-15 06:55:31 796352 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-09-15 06:55:31 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-08-09 19:37:08 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2016-07-27 15:10:20 406184 ------w- c:\windows\system32\MpSigStub.exe
2016-07-15 21:32:33 1815552 ----a-w- c:\windows\system32\jscript9.dll
2016-07-15 21:29:13 367616 ----a-w- c:\windows\system32\html.iec
2016-07-15 21:27:01 1129984 ----a-w- c:\windows\system32\wininet.dll
2016-07-15 21:26:02 425472 ----a-w- c:\windows\system32\vbscript.dll
2016-07-15 21:26:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2016-07-15 21:25:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2016-07-15 21:25:02 11776 ----a-w- c:\windows\system32\mshta.exe
2016-07-15 21:24:50 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2016-07-11 07:00:58 1260032 ----a-w- c:\windows\system32\lsasrv.dll
2016-07-11 05:40:05 2072064 ----a-w- c:\windows\system32\win32k.sys
2016-07-11 05:36:32 2048 ----a-w- c:\windows\system32\tzres.dll
2014-11-25 23:26:38 6000640 ----a-w- c:\program files\GUT7677.tmp
.
============= FINISH: 22:04:46.23 ===============
Attached Files
File Type: txt attach.txt (14.8 KB, 25 views)
ceejam is offline  
Sponsored Links
Advertisement
 
Old 09-27-2016, 12:35 AM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jamie,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Please do the below steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Clean
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.

=========================================================

Things I need to see in your next post:
  • AdwCleaner[C#].txt
  • FRST.txt
  • Addition.txt
__________________
tekir06 is offline  
Old 09-27-2016, 12:42 AM   #3
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista


Hi Tolga,

Thanks for your response. I've got those tools downloaded and will run the scans and post back later.

Thanks again
Jamie
ceejam is offline  
Sponsored Links
Advertisement
 
Old 09-27-2016, 04:50 AM   #4
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



Hello Tolga,

I've run the Adwceaner and Farbar, here are the logs as requested.

Just to let you know, I am running these scans on the PC in 'Safe mode' - Is that OK?



# AdwCleaner v6.020 - Logfile created 27/09/2016 at 12:32:44
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-27.1 [Server]
# Operating System : Windows Vista (TM) Home Basic Service Pack 2 (X86)
# Username : McDonald - MCDONALD-PC
# Running from : C:\Users\McDonald\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Users\McDonald\AppData\Local\iac
[#] Folder deleted on reboot: C:\Users\McDonald\AppData\Local\IAC
[-] Folder deleted: C:\Users\McDonald\AppData\LocalLow\iac
[#] Folder deleted on reboot: C:\Users\McDonald\AppData\LocalLow\IAC
[-] Folder deleted: C:\ProgramData\Ask
[#] Folder deleted on reboot: C:\ProgramData\Application Data\Ask


***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\MozillaPlugins\@VideoDownloadConverter_ScriptHelper.com/Plugin
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2D6F0AC3-0C2E-4E07-8FDA-11268AB51211}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A86782D8-7B41-452F-A217-1854F72DBA54}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{38122A36-83B2-46B8-B39A-EC72A4614A07}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{38122A36-83B2-46B8-B39A-EC72A4614A07}
[-] Value deleted: HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
[-] Key deleted: HKU\S-1-5-21-600374154-429795244-3592906477-1000\Software\Yahoo\Companion
[-] Key deleted: HKU\S-1-5-21-600374154-429795244-3592906477-1000\Software\Yahoo\YFriendsBar
[-] Key deleted: HKU\S-1-5-21-600374154-429795244-3592906477-1000\Software\YahooPartnerToolbar
[-] Key deleted: HKU\S-1-5-21-600374154-429795244-3592906477-1000\Software\AppDataLow\Software\Yahoo\Companion
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-600374154-429795244-3592906477-1000\Software\Yahoo\Companion
[#] Key deleted on reboot: HKCU\Software\Yahoo\Companion
[#] Key deleted on reboot: HKCU\Software\Yahoo\YFriendsBar
[#] Key deleted on reboot: HKCU\Software\YahooPartnerToolbar
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key deleted: HKLM\SOFTWARE\Yahoo\Companion


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [3529 Bytes] - [27/09/2016 12:32:44]
C:\AdwCleaner\AdwCleaner[S0].txt - [3634 Bytes] - [27/09/2016 12:27:51]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3675 Bytes] ##########
Attached Files
File Type: txt Addition.txt (25.8 KB, 24 views)
File Type: txt FRST.txt (16.3 KB, 18 views)
ceejam is offline  
Old 09-28-2016, 04:23 AM   #5
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jamie,

Quote:
Just to let you know, I am running these scans on the PC in 'Safe mode' - Is that OK?
Why did you do this?

========================================================

Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
HKU\S-1-5-21-600374154-429795244-3592906477-1000\...\MountPoints2: {4327e5d4-9164-11dd-92d9-001c2550b34b} - F:\LaunchU3.exe
HKU\S-1-5-18\...\Run: [] => [X]
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy: Restriction ? <======= ATTENTION
BHO: No Name -> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} -> No File
Toolbar: HKU\S-1-5-21-600374154-429795244-3592906477-1000 -> No Name - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} -  No File
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.


NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 09-28-2016, 11:32 PM   #6
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



HEllo Tolga,

I was booting into safe mode because the pc was so slow in normal boot. The drive light would be on for more than 5 minutes after Windows booted up and Internet Explorer would take ages to load and do anything. In safe mode, the pc was much better and made it possible to get onto the forum.

Here is the text from the fixlog.

Fix result of Farbar Recovery Scan Tool (x86) Version: 28-09-2016
Ran by McDonald (29-09-2016 07:03:28) Run:1
Running from C:\Users\McDonald\Desktop
Loaded Profiles: McDonald (Available Profiles: McDonald)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
HKU\S-1-5-21-600374154-429795244-3592906477-1000\...\MountPoints2: {4327e5d4-9164-11dd-92d9-001c2550b34b} - F:\LaunchU3.exe
HKU\S-1-5-18\...\Run: [] => [X]
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicy: Restriction ? <======= ATTENTION
BHO: No Name -> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} -> No File
Toolbar: HKU\S-1-5-21-600374154-429795244-3592906477-1000 -> No Name - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No File
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
*****************

Restore point was successfully created.
"HKU\S-1-5-21-600374154-429795244-3592906477-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4327e5d4-9164-11dd-92d9-001c2550b34b}" => key removed successfully.
HKCR\CLSID\{4327e5d4-9164-11dd-92d9-001c2550b34b} => key not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"C:\Windows\system32\GroupPolicy\Machine" => not found.
"C:\Windows\system32\GroupPolicy\Machine" => not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}" => key removed successfully.
HKCR\CLSID\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} => key not found.
HKU\S-1-5-21-600374154-429795244-3592906477-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5CBE3B7C-1E47-477E-A7DD-396DB0476E29} => value removed successfully.
HKCR\CLSID\{5CBE3B7C-1E47-477E-A7DD-396DB0476E29} => key not found.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-600374154-429795244-3592906477-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-600374154-429795244-3592906477-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.


========= End of RemoveProxy: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.0.6001 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

Unable to cancel {13559951-F5A3-4834-87D0-4821EED9739C}.
Unable to cancel {DC8182AF-D882-48C7-AB38-40AE7B33EA32}.
0 out of 2 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 3529676 B
Java, Flash, Steam htmlcache => 771 B
Windows/system/drivers => 1645332857 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 26659540 B
LocalService => 18522111 B
NetworkService => 204221166 B
McDonald => 688511740 B

RecycleBin => 0 B
EmptyTemp: => 2.4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 0722 ====
ceejam is offline  
Old 09-29-2016, 10:51 PM   #7
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jamie,

Ok. Please do the following.

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.

You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts.
Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
Tick the option Enable detection of potentially unwanted applications
Click on Advanced settings
Make sure that the option Clean threats automatically is unticked.
Ensure these options are ticked:
  • Enable detection of potentially unsafe applications
  • Enable detection of suspicious applications
  • Scan archives
  • Enable Anti-Stealth technology

Click Scan
Wait for the scan to finish.
When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Please copy/paste the contents of the log in your next reply.
To close ESET Online Scanner, select Do not clean then Finish
__________________
tekir06 is offline  
Old 09-30-2016, 04:40 AM   #8
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



Hi Tolga,

I ran the ESET scanner and it found no threats, so there is no log file.
ceejam is offline  
Old 10-03-2016, 01:09 AM   #9
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello again.

Ok. Please do the following.

Launch Malwarebytes Anti-Malware

At the end of the installation, a database update will be performed.
On the Settings tab > Detection and Protection subtab, Detection Options section, tick the box Scan for rootkits.
Click on the Scan tab, then click on Start Scan.
A check for database updates will be performed.
After the update check completes, a scan will begin.
With some infections, you may see this message box.
'Could not load DDA driver'
Click Yes to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click 'Remove Selected'.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.
__________________
tekir06 is offline  
Old 10-03-2016, 09:38 AM   #10
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



Hi Tolga,

I carred out the MBAM scan and it did not find any threats.

I have attached the log file.

The PC appears to be running better, but still a bit slow to startup.

Thanks for all your help so far....
Attached Files
File Type: txt MBAM031016.txt (1.0 KB, 18 views)
ceejam is offline  
Old 10-07-2016, 03:48 AM   #11
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jamie,

Sorry. I did not see your reply.
Quote:
The PC appears to be running better,
Good news.

Please re-run FRST tool. Then add fresh FRST.txt and Addition.txt.
__________________
tekir06 is offline  
Old 10-07-2016, 08:39 AM   #12
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



Hello again,

I haven't been receiving email updates for this topic, even though the options are selected in subscribed topics!

I have run FRST and attached the two files.

The PC is still very slow to startup - the HDD light is on for a long time after windows appears!

Thanks
Jamie
Attached Files
File Type: txt Addition.txt (25.9 KB, 22 views)
File Type: txt FRST.txt (17.2 KB, 23 views)
ceejam is offline  
Old 10-09-2016, 11:52 PM   #13
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jamie,

Your logs are clean. The issue does not seem malware related. You can do that in writing at the following link.

Is your PC running slow...?

Or you can ask for help from our Windows Vista/Windows 7 Support Forum
opening up new topic.
__________________
tekir06 is offline  
Old 10-10-2016, 02:03 AM   #14
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



Ok, thanks.

I have had a look at that topic already, will go ahead and follow the steps there.
Thanks for your help!!
ceejam is offline  
Old 10-10-2016, 03:57 AM   #15
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jamie,

You're welcome

Your reports are clear. Let's remove all tools and logs that we use.

CLEAN UP

Your reports are clear. Let's remove all tools and logs that we use.

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.

Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn ON Automatic Updates in Windows Vista

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 10-10-2016, 09:22 AM   #16
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



Hi Tolga,

The link for delfix is not working.

Also, the link about turning on microsoft updates just directs me to a generic page on Microsoft - this seems to happen whenever I search for help on windows issues!


This is the text from the link

https://redirect.viglink.com/?format=go&jsonp=vglnk_147611644364717&key=935f66bc246cfba652317b8d41d3ef7f&libId=iu49gcwx01002urt000DA5ds14cpt7x8u&loc=http%3A%2F%2Fwww.techsupportforum.com%2Fforums%2Ff50%2Fpoor-performance-and-mse-issues-1160097.html&v=1&out=http%3A%2F%2Fwindows.microsoft.com%2Fen-us%2Fwindows%2Fturn-automatic-updating-on-off%23turn-automatic-updating-on-off%3Dwindows-vista&title=Poor%20performance%20and%20MSE%20issues%20-%20Tech%20Support%20Forum&txt=%3CB%3ETurn%20ON%20Automatic%20Updates%20in%20Windows%20Vista%3C%2FB%3E
ceejam is offline  
Old 10-11-2016, 12:23 AM   #17
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jamie,

Delfix link is here.

For "Turn ON Automatic Updates in Windows Vista" is here
__________________
tekir06 is offline  
Old 10-11-2016, 11:48 AM   #18
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



Hello,

I ran delfix and that cleaned up the fixing tools.

I now have a weird issue with accessing links on the microsoft website. Whenever I select a link, it takes me to the support home page (see attachment) and adds some characters onto the web address, see below

https://support.microsoft.com/en-us/kb/306525#!/en-us

I am also having trouble getting Windows Update to run......
Attached Thumbnails
Click image for larger version

Name:	microsoft.jpg
Views:	62
Size:	66.2 KB
ID:	294241  
ceejam is offline  
Old 10-12-2016, 04:07 AM   #19
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Jamie,

Weird. I was never a problem when I looked. To turn on Automatic Updates yourself, follow these steps:
  • Click Start, type Windows update in the search box, and then click Windows Update in the Programs list.
  • In the left pane, click Change settings.
  • Select the option that you want.
  • Under Recommended updates, select the Give me recommended updates the same way I receive important updates or Include recommended updates when downloading, installing, or notifying me about updates check box, and then click OK.
__________________
tekir06 is offline  
Old 10-12-2016, 06:46 AM   #20
Registered Member
 
Join Date: Jun 2009
Posts: 22
OS: Vista



I left Windows update running all night, was still "Checking for updates" at lunchtime.

I have downloaded Firefox and found I can access the Microsoft links - it seems to be an issue with IE9!

I'm infection free, just got issues with Vista, so think I will be upgrading to win7 sometime soon!

Thanks again!!
Jamie
ceejam is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] MSE process hogging resources (MsMpEng.exe)
I had to make an account for this. Problem just started today. I have several users still on Windows XP due to a small IT group, small company, afraid of change, etc. I'm also by myself these next two weeks, so that's nice. We use MSE for our antivirus because it's cheap and free. We also...
jleet24 Windows XP Support 3 04-16-2014 06:34 PM
Weird Internet browser issues and graphical issues
Recently, I have been having some really odd graphical issues in my internet browser (Chrome but also happens in IE10). I have run Antimalwarebytes and MSE and they turned up nothing. I have some examples. https://i.imgur.com/4eIA2fL.png https://i.imgur.com/hL5VMSx.png...
Arronwy Windows 7 , Windows Vista Support 13 03-20-2013 02:32 AM
Major Flaw in Windows 8 Slow Browsing on Chrome, Firefox? Internet Connection Issues?
A couple of weeks ago I installed Windows 8 (fresh install from scratch, not an update) on my computer. I do a lot of web browsing and over the last couple of weeks I've been using Windows 8, I could swear the web browsing wasn't as fast at it used to be on Windows 7. I then noticed I was having...
consultant1027 Windows 8, 8.1 Support 0 12-02-2012 10:47 AM
[SOLVED] win7 backup fails MSE reports &quot;exploit:Blacole.BI&quot;
Before I run a log to report to you, I wanted to run this by to see if that is required, or it's something else. Windows backup fails with MSE reporting "exploit:Blacole.BI" When I removed the threat MSE goes green again, but backup never will not accomplish as this threat comes back up, during an...
drmax Virus/Trojan/Spyware Help 3 02-15-2012 10:32 PM
MSE question
I have been running MSE since my NOD 32 license expired, and so far I have picked up no viruses, or malware. But I do have one minor problem that is obviously an operator error at my end, for the past two days when I turn on my computer MSE tells me I haven't run a scan in a while and I am at risk,...
wolfen1086 General Computer Security 5 09-25-2011 11:12 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:50 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts