Please help with Browser Crashes, Win32-Variants and extremely slow system

Viruses and worms
1

I am trying to help my kids get their computer running. They keep having browser crashes and flash player crashes. The computer runs at -25 mph and the start-up time is extremely slow. Interesting also… the shutdown time seems to be even longer for them. I followed the basics for slow running computer etc and updated all the software. This is our older system and our kids do download lots of images (cartoon characters… screen savers, desktop themes, etc) But they are not even able to log on to webkinz or club penguin now because of the slow loading and crashes. (they are getting upset… those puffles need to be fed :wink: )

The scans are reporting process (aawservice.exe) memory block and around 75+ assorted win32: variants (trj, worms, dialers, tools, Expl) to many to list unless needed–please let me know ? if any are false positive, but something seems to be going on. MBAM did not show anything. Reports also have pages of files that cannot be scanned because they are password protected (we have not set up this)

OTL and ASW logs are attached.

Thank you so much for taking a look-- any help is appreciated. I would like to keep the system secure… don’t we all!

2
The scans are reporting process (aawservice.exe) memory block and around 75+ assorted win32: variants (trj, worms, dialers, tools, Expl) to many to list unless needed--please let me know
aawservice.exe is from Ad-Aware.... do you have that installed ? was this a custom scan with "scan memory" selected ? this usually gives some strange scan result, often detecting unencrypted signatures from other security programs installed i recomend using the default quick / full scan with default settings
MBAM did not show anything.
was it updated when you did the scan ?
Reports also have pages of files that cannot be scanned because they are password protected (we have not set up this)
files that can not be scanned are just that, does not mean they are infected.... if you tell us the file name and where they are located, we may be able to tell you what they are.... i am guessing they are from Ad-Aware!

you also seem to have lots of toolbars, and hostfile pointing to lots of b*** S*** search engines. There are also leftovers from almost every Antivirus program known to mankind ;D
anyway essexboy will clear this when he arrive…

3

The PC needs either a full clean up or a re install of operating system.

Uninstalling all the crap like screen savers Tool bars etc
Registry clean up
Defraging.
Stop programs from starting up
File system check & so on.

4

Lets see if we can get the penguins fed ;D

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found O2 - BHO: (no name) - {EAD3A971-6A23-4246-8691-C9244E858967} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found. O3 - HKU\S-1-5-21-3697291689-1376643981-488748980-500\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKU\S-1-5-21-3697291689-1376643981-488748980-500\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found. O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk.disabled () O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found O16 - DPF: {35B1769E-299A-4E17-B9D0-E669A02C0F18} http://inet-admin.midmich.net/download/QCDownload.cab (QCDownload2 Class) O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe (Reg Error: Key error.) O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} http://toolbar.google.com/data/GoogleActivate.cab (Reg Error: Key error.) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab (Reg Error: Key error.)

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install CombofixDownload ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

5

I closed out my browser to run OTL and AVAST came up with warning/detection of rootkit…
win32:rootkit.gen it said it was detected on the desktop file of OTL.exe so it removed it. OK???

So I guess I DL it again and run as you directed.

ok tried to DL again from link on this site. It was blocked again. Here is what came up:

Infection Details
URL: http://oldtimer.geekstogo.com/OTL.exe
Process: file://C:\Program Files\Mozilla Firefox.…
Infection: win32:Rootkit-gen [Rtk]

6

Ignore that it is a false positive - disable Avast for 10 minutes whilst it runs

I will get a copy sent to avast as a FP

7

So I will still have to DL again right? But I will disable avast first… thanks

8

Yep I have now sent it as a FP ;D

9

grrr running in circles… disabled avast and ran OTL, but when it rebooted, AVAST restarted and automatically removed the OTL.exe from desktop before it even loaded up all the way.

I just completely turned off AVAST UGGH crossing my fingers… and will try again.

10

I will send them another copy to gee them up a bit

11

Thanks… I have tried my best so far! The OTL gave me a run for my money. I have attached the logs. Their computer is still very sluggish at start up and when loading a site.

Penguin update: I tried to feed of of my son’s puffles on club penguin: it was taking so long to load and I could see the food I had to click on and the darn puffle starts to look mad!! It wasn’t moving quick enough. I logged off quick because they do run away if you don’t take care of them. By the puffle index factor, still moving slow.

Here are the logs:

12

OK all visible malware is now dead, so lets investigate the invisible area. Is it just slowness now ?

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/essexboy-1-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

13

Here is the log.

14

OK that also shows clean

Now we will update to IE8 http://www.microsoft.com/download/en/details.aspx?id=43

Ensure all temporary files are cleared

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

.
And then run a disc defragment

I would use the Auslogics on for this as it is better than the built in windows one http://download.cnet.com/Auslogics-Disk-Defrag/3000-2094_4-10567503.html?part=dl-6267754&subj=dl&tag=button