so slow!!!

j20 · #1 (**permalink**) 13-09-2008, 01:36 AM

I am running Windows xp and I use windows firewall and avast anti virus and trojan hunter.I've been meaning to download a firewall.Anyway my computer is very slow.It's always lagging.Avast doesn't find anything.I did a kaspersky online scan and it found a fair few viruses but they looked like they were system files.So i'm a bit confused!
Here is my hi jack this log,thankyou!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:41 AM, on 13/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.google.com.au
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7799 bytes

Neal · #2 (**permalink**) 15-09-2008, 09:41 PM

Welcome,

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.

Uncheck cookies

Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

Did that help?

* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and zLaunch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

j20 · #3 (**permalink**) 17-09-2008, 12:31 PM

I already have Ccleaner and regularly do Ccleaner scans even though they don't really make a difference.
Here is the malawarebytes log,it didn't find anything.

Malwarebytes' Anti-Malware 1.28
Database version: 1163
Windows 5.1.2600 Service Pack 2

17/09/2008 9:20:53 PM
mbam-log-2008-09-17 (21-20-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 88660
Time elapsed: 1 hour(s), 24 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Neal · #4 (**permalink**) 18-09-2008, 11:45 PM

Have you still got the kaspersky log?

Did you remove what it found?

j20 · #5 (**permalink**) 20-09-2008, 02:22 AM

I removed two of the viruses,I wasn't sure how to get rid of the rest though.
Here is the kaspersky scan I had saved

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 29, 2008 23:59:03
Records in database: 1165344
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 54778
Threat name: 11
Infected objects: 67
Suspicious objects: 0
Duration of the scan: 03:19:54

File name / Threat name / Threats count
C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000728.VBS Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000729.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000734.exe Infected: Sniffer.Win32.Agent.j 1
C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000736.EXE Infected: not-a-virus:PSWTool.Win32.MailPassView.s 1
C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000748.EXE Infected: Trojan.BAT.Small.ai 1
C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0004920.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.g 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP1\A0001036.exe Infected: not-a-virus:AdWare.Win32.EZula.v 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP1\A0001037.exe Infected: not-a-virus:AdWare.Win32.EZula.ak 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001106.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001107.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001108.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001109.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001110.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001111.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001112.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001113.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001114.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001115.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001116.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001117.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001118.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001119.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001120.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001121.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001122.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001123.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001124.exe Infected: Backdoor.Win32.SdBot.05.v 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001125.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001126.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001127.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001128.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001129.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001130.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001131.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001132.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001133.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001134.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001135.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001136.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001137.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001138.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001139.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001140.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001141.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001142.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001143.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001144.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001145.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001146.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001147.EXE Infected: Backdoor.Win32.NetDevil.14 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001148.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001149.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001150.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001151.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001152.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001153.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001154.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001155.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001156.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001157.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001158.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001159.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001160.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001161.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001162.exe Infected: P2P-Worm.Win32.Surnova.e 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP2\A0001163.exe Infected: Backdoor.Win32.NetDevil.14 1
C:\old\System Volume Information\_restore{7A2798E7-8700-4EA6-A42D-E75489CB1862}\RP3\A0001364.exe Infected: Trojan.BAT.Small.ai 1

The selected area was scanned.

Neal · #6 (**permalink**) 21-09-2008, 11:52 PM

All of that is under system restore and should be easily removed but as a last step due to being under system restore. Since there are backdoor trojans showing there let's do a scan specifically targeting those:

Download SDFIX and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

j20 · #7 (**permalink**) 26-09-2008, 08:10 AM

SDFix: Version 1.229
Run by xp user on Fri 26/09/2008 at 03:59 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 16

02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjou r"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 4 Apr 2008 6,104,632 A..H. --- "C:\old\Program Files\Picasa2\setup.exe"
Thu 8 Jun 2000 110,080 A..H. --- "C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000100.sys"
Sun 27 Jul 2003 1,674 A..H. --- "C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000101.SYS"
Thu 23 Aug 2001 45,124 A..H. --- "C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000102.com"
Thu 8 Jun 2000 93,040 A.SH. --- "C:\old\System Volume Information\_restore{082C9CEC-A19E-4D18-A5B8-C43242D12549}\RP3\A0000105.com"
Fri 25 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01c e8ee10a7556514a051f797f4\BIT1.tmp"

Finished!

HI JACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:43 PM, on 26/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.google.com.au
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7450 bytes

Neal · #8 (**permalink**) 26-09-2008, 09:26 PM

Since SDFix and Malwarebytes did not find anything and hijackthis log is clean I suggest you do a system restore and clean that junk out of there.

Let's create a new restore point now and flush anything bad that may be hidden in there

Click Start>Help and Support>Undo changes to your computer with System Restore.
Click Create A Restore Point then click Next. Give it a name and then click Create.

THEN

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

This will remove all previous restore points except the newly created one.

j20 · #9 (**permalink**) 27-09-2008, 08:52 AM

I have done that and it has made no difference,it's still really slow and lagging!

Neal · #10 (**permalink**) 30-09-2008, 12:48 AM

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.