It is currently Fri Oct 20, 2017 11:52 am


Laptop Slow & Freezes

Is your PC infected? Is it running slow? Just can't figure out what's making it sluggish? Here is the place to get some help.

Moderators: liljim, Gecko

Re: Laptop Slow & Freezes

Postby jemmo » Mon Feb 10, 2014 8:19 pm

I reloaded McAfee - was the only way I could turn off the McAfee scan to allow ComboFix to be downloaded.

Just run ComboFix, log file below.

I thought we did Rkill? I will post separately so you can see where one log ends and the other starts.

ComboFix 14-02-05.02 - Bev 10/02/2014 18:49:43.6.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.3000.1428 [GMT 0:00]
Running from: c:\users\Bev\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-01-10 to 2014-02-10 )))))))))))))))))))))))))))))))
.
.
2014-02-10 19:05 . 2014-02-10 19:06 -------- d-----w- c:\users\Bev\AppData\Local\temp
2014-02-10 19:05 . 2014-02-10 19:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-02-10 19:05 . 2014-02-10 19:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-10 00:22 . 2014-02-10 00:23 -------- d-----w- c:\program files\McAfeeMOBK
2014-02-10 00:22 . 2010-04-13 20:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2014-02-10 00:22 . 2014-02-10 00:22 -------- d-----w- c:\program files\McAfee Online Backup
2014-02-10 00:22 . 2013-09-23 13:48 147912 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2014-02-10 00:20 . 2014-02-10 00:20 -------- d-----w- c:\program files\McAfee.com
2014-02-10 00:15 . 2013-12-05 17:21 174488 ----a-w- c:\windows\system32\mfevtps.exe
2014-02-07 21:52 . 2013-12-04 02:57 7760024 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{59765EDD-66B9-4756-9243-049EEDF5B94B}\mpengine.dll
2014-01-29 22:15 . 2014-01-29 22:16 -------- d-----w- c:\users\Bev\AppData\Roaming\GetRightToGo
2014-01-29 00:39 . 2014-01-29 00:39 -------- d-----w- c:\windows\Migration
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-05 00:05 . 2013-01-06 16:38 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-05 00:05 . 2011-12-24 11:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-18 06:13 . 2011-12-24 14:55 231584 ------w- c:\windows\system32\MpSigStub.exe
2013-12-05 17:29 . 2013-12-05 17:29 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-12-05 17:22 . 2013-12-05 17:22 213392 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-12-05 17:16 . 2013-09-24 20:45 572688 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-12-05 17:14 . 2013-12-05 17:14 365416 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-12-05 17:14 . 2013-12-05 17:14 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-12-05 17:13 . 2013-12-05 17:13 236000 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-12-05 17:12 . 2013-09-24 20:42 133992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-11-26 22:06 . 2013-11-26 22:06 10152 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2013-11-26 22:06 . 2013-11-26 22:06 80752 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2013-11-26 22:06 . 2013-11-26 22:06 319808 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2009-11-27 12:16 . 2013-10-29 13:59 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
Code: Select all
<pre>
c:\program files\Acer\Empowering Technology\eAudio\eAudio .exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader .exe
c:\program files\Acer\Empowering Technology\ePower\ePower_DMC .exe
c:\program files\Acer\WR_PopUp\ProductReg .exe
c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent .exe
c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc .exe
c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService .exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Launch Manager\QtZgAcer .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Quit Counter\QuitCounter .exe
c:\program files\Samsung\Kies\KiesTrayAgent .exe
c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Yahoo!\Messenger\YahooMessenger .exe
c:\windows\PLFSetI .exe
</pre>

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-05 06:38 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"QuitCounter"="c:\program files\Quit Counter\QuitCounter.exe" [2005-03-14 1448848]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-28 6111232]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-02 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-02 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-02 145944]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-09-24 516912]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-15 2565520]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-03-28 1611160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2009-03-18 173352]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-09-24 516912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-25 113664]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 273296]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-18 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\DRIVERS\AVerA310USB.sys [2008-04-15 25856]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-06 00:05]
.
2014-02-10 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-01-23 10:57]
.
2014-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:09]
.
2014-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA1ce7814b980d430.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:09]
.
2013-01-23 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-01-23 10:49]
.
2014-02-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-01-23 10:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mystart.incredimail.com?a=6PQrgSBCA3
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... spire_7730
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\users\Bev\AppData\Roaming\Mozilla\Firefox\Profiles\xvg8xryl.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ebay.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mc ... A111GB0&p=
FF - ExtSQL: !HIDDEN! 2009-09-02 08:19; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-10 19:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5548)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
.
Completion time: 2014-02-10 19:12:15
ComboFix-quarantined-files.txt 2014-02-10 19:12
ComboFix2.txt 2014-02-01 12:17
ComboFix3.txt 2014-01-28 20:13
ComboFix4.txt 2014-01-26 02:47
ComboFix5.txt 2014-02-10 18:45
.
Pre-Run: 21,300,781,056 bytes free
Post-Run: 21,135,163,392 bytes free
.
- - End Of File - - 5CB0EBF20FF1D765697F7F4E42F82781
7BA4C7EA1EF33A92F5F01BE63EDACB6A
Jemmo
jemmo
Senior Geek
Senior Geek
 
Posts: 122
Joined: Tue Feb 24, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Re: Laptop Slow & Freezes

Postby jemmo » Mon Feb 10, 2014 8:20 pm

This is the RKill log from 09/10/14;

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/09/2014 09:58:49 PM in x86 mode.
Windows Version: Windows Vista (TM) Home Basic Service Pack 2

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

* ALERT: ZEROACCESS rootkit symptoms found!

* C:\Users\Bev\AppData\Local\{2ee9930a-52c8-0f2f-2ea3-d7c248d7e63d}\ [ZA Dir]
* C:\Users\Bev\AppData\Local\{2ee9930a-52c8-0f2f-2ea3-d7c248d7e63d}\L\ [ZA Dir]
* C:\Users\Bev\AppData\Local\{2ee9930a-52c8-0f2f-2ea3-d7c248d7e63d}\U\ [ZA Dir]

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 02/09/2014 09:59:45 PM
Execution time: 0 hours(s), 0 minute(s), and 56 seconds(s)
Jemmo
jemmo
Senior Geek
Senior Geek
 
Posts: 122
Joined: Tue Feb 24, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Re: Laptop Slow & Freezes

Postby Gecko » Tue Feb 11, 2014 1:30 pm

It looks like you might still have a rootkit let's try another removal tool.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Laptop Slow & Freezes

Postby jemmo » Tue Feb 11, 2014 7:44 pm

Nothing found.
Jemmo
jemmo
Senior Geek
Senior Geek
 
Posts: 122
Joined: Tue Feb 24, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Re: Laptop Slow & Freezes

Postby Gecko » Wed Feb 12, 2014 12:25 am

Well that's good.

So how is it running now?
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Laptop Slow & Freezes

Postby jemmo » Wed Feb 12, 2014 7:49 pm

Was running better last night, but wifey says it's running slow again now.

Another ComboFix?

Oh hang on - McAfee is doing a scan. Always slows things down. Will update when finished.
Jemmo
jemmo
Senior Geek
Senior Geek
 
Posts: 122
Joined: Tue Feb 24, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Re: Laptop Slow & Freezes

Postby jemmo » Tue Feb 25, 2014 12:32 am

Hmm.....it's apparently been running slow again.
The latest ComboFix log is below;

ComboFix 14-02-24.02 - Bev 24/02/2014 23:00:30.10.2 - x86
Running from: c:\users\Bev\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Spybot - Search and Destroy *Disabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-01-24 to 2014-02-24 )))))))))))))))))))))))))))))))
.
.
2014-02-24 23:16 . 2014-02-24 23:17 -------- d-----w- c:\users\Bev\AppData\Local\temp
2014-02-24 23:16 . 2014-02-24 23:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-02-24 23:16 . 2014-02-24 23:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-11 19:08 . 2014-02-11 19:09 -------- d-----w- c:\program files\McAfee Security Scan
2014-02-10 00:22 . 2014-02-10 00:23 -------- d-----w- c:\program files\McAfeeMOBK
2014-02-10 00:22 . 2010-04-13 20:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2014-02-10 00:22 . 2014-02-10 00:22 -------- d-----w- c:\program files\McAfee Online Backup
2014-02-10 00:22 . 2013-09-23 13:48 147912 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2014-02-10 00:20 . 2014-02-10 00:20 -------- d-----w- c:\program files\McAfee.com
2014-02-10 00:15 . 2014-01-27 09:11 175480 ----a-w- c:\windows\system32\mfevtps.exe
2014-02-07 21:52 . 2013-12-04 02:57 7760024 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{59765EDD-66B9-4756-9243-049EEDF5B94B}\mpengine.dll
2014-01-29 22:15 . 2014-01-29 22:16 -------- d-----w- c:\users\Bev\AppData\Roaming\GetRightToGo
2014-01-29 00:39 . 2014-01-29 00:39 -------- d-----w- c:\windows\Migration
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-21 20:06 . 2013-01-06 16:38 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-21 20:06 . 2011-12-24 11:03 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-03 13:17 . 2014-02-13 00:35 53760 ----a-w- c:\windows\apppatch\iebrshim.dll
2014-01-27 09:18 . 2013-12-05 17:29 61400 ----a-w- c:\windows\system32\drivers\cfwids.sys
2014-01-27 09:12 . 2013-12-05 17:22 214216 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2014-01-27 09:06 . 2013-09-24 20:45 573840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2014-01-27 09:04 . 2013-12-05 17:14 366248 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2014-01-27 09:04 . 2013-12-05 17:14 66408 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2014-01-27 09:03 . 2013-12-05 17:13 236480 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2014-01-27 09:02 . 2013-09-24 20:42 134568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-12-18 06:13 . 2011-12-24 14:55 231584 ------w- c:\windows\system32\MpSigStub.exe
2009-11-27 12:16 . 2013-10-29 13:59 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
Code: Select all
<pre>
c:\program files\Acer\Empowering Technology\eAudio\eAudio .exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader .exe
c:\program files\Acer\Empowering Technology\ePower\ePower_DMC .exe
c:\program files\Acer\WR_PopUp\ProductReg .exe
c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent .exe
c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc .exe
c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService .exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Launch Manager\QtZgAcer .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Quit Counter\QuitCounter .exe
c:\program files\Samsung\Kies\KiesTrayAgent .exe
c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Yahoo!\Messenger\YahooMessenger .exe
c:\windows\PLFSetI .exe
</pre>

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-05 06:38 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"QuitCounter"="c:\program files\Quit Counter\QuitCounter.exe" [2005-03-14 1448848]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-28 6111232]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-02 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-02 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-02 145944]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-01-28 517392]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-15 2565520]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-03-28 1611160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2009-03-18 173352]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-01-28 517392]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-25 113664]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.141\SSScheduler.exe [2014-1-16 277920]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-18 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\DRIVERS\AVerA310USB.sys [2008-04-15 25856]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - FSUSBEXDISK
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-06 20:06]
.
2014-02-24 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-01-23 10:57]
.
2014-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:09]
.
2014-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA1ce7814b980d430.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:09]
.
2013-01-23 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-01-23 10:49]
.
2014-02-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-01-23 10:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mystart.incredimail.com?a=6PQrgSBCA3
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... spire_7730
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\users\Bev\AppData\Roaming\Mozilla\Firefox\Profiles\xvg8xryl.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ebay.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mc ... A111GB0&p=
FF - ExtSQL: !HIDDEN! 2009-09-02 08:19; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-24 23:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3272)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
.
Completion time: 2014-02-24 23:22:42
ComboFix-quarantined-files.txt 2014-02-24 23:22
ComboFix2.txt 2014-02-23 17:58
ComboFix3.txt 2014-02-18 22:31
ComboFix4.txt 2014-02-12 19:24
ComboFix5.txt 2014-02-24 22:57
.
Pre-Run: 21,311,131,648 bytes free
Post-Run: 21,158,035,456 bytes free
.
- - End Of File - - 95419488B0C94013793CF9C201ABCE42
7BA4C7EA1EF33A92F5F01BE63EDACB6A

------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------

And an RKill log;


Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/24/2014 11:30:18 PM in x86 mode.
Windows Version: Windows Vista (TM) Home Basic Service Pack 2

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\system32\FsUsbExService.Exe (PID: 2288) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

* ALERT: ZEROACCESS rootkit symptoms found!

* C:\Users\Bev\AppData\Local\{2ee9930a-52c8-0f2f-2ea3-d7c248d7e63d}\ [ZA Dir]
* C:\Users\Bev\AppData\Local\{2ee9930a-52c8-0f2f-2ea3-d7c248d7e63d}\L\ [ZA Dir]
* C:\Users\Bev\AppData\Local\{2ee9930a-52c8-0f2f-2ea3-d7c248d7e63d}\U\ [ZA Dir]

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 02/24/2014 11:31:07 PM
Execution time: 0 hours(s), 0 minute(s), and 49 seconds(s)




Damn thing just keeps coming back. Am I not doing something - or doing something wrong?
Jemmo
jemmo
Senior Geek
Senior Geek
 
Posts: 122
Joined: Tue Feb 24, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Re: Laptop Slow & Freezes

Postby Gecko » Wed Feb 26, 2014 2:53 pm

Try running the TDSSKiller.exe rootkit removal tool again
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name (i.e. 123abc.exe).
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Laptop Slow & Freezes

Postby jemmo » Wed Mar 05, 2014 1:13 am

Ran the TDSS killer tonight - deleted 1 item.
Contents of the file are too big to be copied here and I can't upload a .txt file so have had to zip up - file attached.
Attachments
TDSSKiller.3.0.0.25_04.03.2014_23.36.53_log.zip
TDSSKiller Log File
(93.35 KiB) Downloaded 127 times
Jemmo
jemmo
Senior Geek
Senior Geek
 
Posts: 122
Joined: Tue Feb 24, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Re: Laptop Slow & Freezes

Postby Gecko » Thu Mar 06, 2014 3:39 am

Good at last the root-kit was found and removed, this should resolve your issues.

If you do home banking from this system you might want to notify your bank and definitely change all your online passwords for safety.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5206
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Laptop Slow & Freezes

Postby jemmo » Thu Mar 06, 2014 9:19 pm

Many thanks for your help. Again.
Wish I could buy you a beer!
Jemmo
jemmo
Senior Geek
Senior Geek
 
Posts: 122
Joined: Tue Feb 24, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Previous

Return to Malware Support

Who is online

Users browsing this forum: No registered users and 2 guests

cron