1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Infected with performance issues

Discussion in 'Virus & Other Malware Removal' started by yrawls, Feb 15, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    Hello. I have a Toshiba Satellite with Windows Vista. I suddenly noticed that my computer is running slow especially when the computer loads or while web searching. It started with prompts to download adobe acrobat plug ins for my browser.

    I ran multiple scans with Super anti spyware and Malware bytes...they found nothing for months then the speed slowed and the loading icon shows up randomly while I'm online. Suddenly Avira started showing a file trying to access another file on my computer whenever I was online. Then Microsoft security scan started showing that a file contained a rootkit but it never removed the file the removal process always failed. Once I installed some rootkit detectors..Kaspersky was one of them they would run but never find the file.

    This is the filename that windows security states is infected but won't clean: Item Name: {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}
    Author:
    Related File: C:\WINDOWS\SYSWOW64\WBEM\WBEMESS.DLL
    Type: DCOM Components

    After the multiple scans I did..the program/trojan that was spotted started redirecting my browser pages to random pages. I uninstalled the browser and reinstalled it and that fixed the redirection but then the memory low errors started. The defragmenting that I did didn't speed up anything. Today I can't use Mozilla every page gives a DNS error. I really need some help and don't know what else to do.

    Here is the HJT log:

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 2:12:41 PM, on 2/12/2013
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.19393)
    Boot mode: Safe mode with network support

    Running processes:
    C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
    C:\Program Files (x86)\TrendMicro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = yulanda
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: WhiteSmoke B Toolbar - {f0e59437-6148-4a98-b0a6-60d557ef57f4} - C:\Program Files (x86)\WhiteSmoke_B\prxtbWhit.dll
    F2 - REG:system.ini: UserInit=userinit.exe,
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: WhiteSmoke B - {f0e59437-6148-4a98-b0a6-60d557ef57f4} - C:\Program Files (x86)\WhiteSmoke_B\prxtbWhit.dll
    O2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll
    O3 - Toolbar: Search Toolbar - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: WhiteSmoke B Toolbar - {f0e59437-6148-4a98-b0a6-60d557ef57f4} - C:\Program Files (x86)\WhiteSmoke_B\prxtbWhit.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
    O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
    O4 - HKLM\..\Run: [PCMAgent] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe"
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [cfFncEnabler.exe] "C:\Program Files (x86)\TOSHIBA\ConfigFree\cfFncEnabler.exe"
    O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
    O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Monitor] "C:\Program Files (x86)\LeapFrog Connect\Monitor.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\RunOnce: [97DD82E2-2CC8-432A-888E-6989C46CECE1] cmd.exe /C start /D "C:\Users\yulanda\AppData\Local\Temp" /B 97DD82E2-2CC8-432A-888E-6989C46CECE1.exe -activeimages -postboot
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: TOSHIBA Web Camera Service (camsvc) - TOSHIBA - C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
    O23 - Service: ConfigFree Gadget Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files (x86)\LeapFrog Connect\CommandService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxdiserv.exe
    O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
    O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: TOSHIBA Modem region select service (RSELSVC) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\rselect\RSelSvc.exe
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: TOSHIBA HDD Protection (Thpsrv) - Unknown owner - C:\Windows\system32\ThpSrv.exe (file missing)
    O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
    O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 13151 bytes
    ========================================================================================
    Here is the GMER Log from today:
    GMER 2.1.18952 - http://www.gmer.net
    Rootkit scan 2013-02-15 20:48:26
    Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG01 298.09GB
    Running: n7i2vffz.exe; Driver: C:\Users\yulanda\AppData\Local\Temp\pwlirfoc.sys


    ---- Threads - GMER 2.1 ----

    Thread C:\Windows\system32\wininit.exe [712:3296] 000007feff747780
    Thread C:\Windows\System32\svchost.exe [1028:996] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:1924] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:3076] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:3080] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:3084] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:3088] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:3092] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:3096] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:3100] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:3104] 000007fef7dd8a4c
    Thread C:\Windows\System32\svchost.exe [1028:4408] 000007fef6a95000
    Thread C:\Windows\System32\svchost.exe [1028:4720] 000007fef08d9bec
    Thread C:\Windows\System32\svchost.exe [1028:4204] 000007fef08dc3fc
    Thread C:\Windows\system32\svchost.exe [1040:1512] 000007fef8608cdc
    Thread C:\Windows\system32\svchost.exe [1040:1292] 000007fef8054298
    Thread C:\Windows\system32\svchost.exe [1040:1296] 000007fef8054f54
    Thread C:\Windows\system32\svchost.exe [1040:1300] 000007fef8054c48
    Thread C:\Windows\system32\svchost.exe [1040:2108] 000007fef67fe654
    Thread C:\Windows\system32\svchost.exe [1040:2724] 000007fef55456a8
    Thread C:\Windows\system32\svchost.exe [1040:2752] 000007fefd051be8
    Thread C:\Windows\system32\svchost.exe [1040:2704] 000007fefd051be8
    Thread C:\Windows\system32\svchost.exe [1040:4696] 000007fef0a48410
    Thread C:\Windows\system32\svchost.exe [1040:3020] 000007fef10e7ec0
    Thread C:\Windows\system32\svchost.exe [1040:4784] 000007fef091e438
    Thread C:\Windows\system32\svchost.exe [1040:4780] 000007fef0346a48
    Thread C:\Windows\system32\svchost.exe [1040:4232] 000007fef0104790
    Thread C:\Windows\system32\svchost.exe [1040:948] 000007fef7f7d980
    Thread C:\Windows\system32\svchost.exe [1040:2072] 000007fef7f7cc80
    Thread C:\Windows\system32\svchost.exe [1040:2904] 000007fef7f7cc80
    Thread C:\Windows\system32\svchost.exe [1040:4356] 000007fef6a95000
    Thread C:\Windows\system32\svchost.exe [1040:3828] 000007fef3fe39f0
    Thread C:\Windows\system32\svchost.exe [1040:5124] 000007fef3fe39f0
    Thread C:\Windows\system32\svchost.exe [1040:1472] 000007feed593830
    Thread C:\Windows\system32\svchost.exe [1040:5988] 000007feed593830
    Thread C:\Windows\system32\svchost.exe [1040:5284] 000007feed593830
    Thread C:\Windows\system32\svchost.exe [1040:3224] 000007feed593830
    Thread C:\Windows\system32\svchost.exe [1040:6816] 000007fef6bc724c
    Thread C:\Windows\system32\svchost.exe [1040:828] 000007feee07cb70
    Thread C:\Windows\system32\svchost.exe [1040:5204] 000007fef80c22f8
    Thread C:\Windows\system32\svchost.exe [1040:6184] 000007fef8054c48
    Thread C:\Windows\system32\svchost.exe [1040:5268] 000007fef8054c48
    Thread C:\Windows\System32\spoolsv.exe [1564:3700] 0000000051067f00
    Thread C:\Windows\System32\spoolsv.exe [1564:4028] 000007fef8a613dc
    Thread C:\Windows\System32\spoolsv.exe [1564:4032] 000007fef8a612ac
    Thread C:\Windows\System32\spoolsv.exe [1564:4040] 000007fef8a01c00
    Thread C:\Windows\System32\spoolsv.exe [1564:4048] 000007fef43f38a0
    Thread C:\Windows\System32\spoolsv.exe [1564:4052] 000007fef67bbd78
    Thread C:\Windows\System32\spoolsv.exe [1564:4056] 000007fef67bc4f8
    Thread C:\Windows\System32\spoolsv.exe [1564:4060] 000007fef67c6844
    Thread C:\Windows\System32\spoolsv.exe [1564:4072] 000007fef354a704
    Thread C:\Windows\system32\WLANExt.exe [1584:1704] 00000001800cbdd0
    Thread C:\Windows\system32\WLANExt.exe [1584:1716] 0000000180073b70
    Thread C:\Windows\system32\WLANExt.exe [1584:1720] 00000001800cbdd0
    Thread C:\Windows\system32\WLANExt.exe [1584:1036] 0000000001527d4c
    Thread C:\Windows\system32\WLANExt.exe [1584:1052] 0000000001527d68
    Thread C:\Windows\system32\WLANExt.exe [1584:1096] 0000000001527d30
    Thread C:\Windows\system32\svchost.exe [2448:2520] 000007fef67bbd78
    Thread C:\Windows\system32\svchost.exe [2448:2552] 000007fef67bc4f8
    Thread C:\Windows\system32\svchost.exe [2448:2568] 000007fef67c6844
    Thread C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe [2868:2932] 000007feff747780
    Thread C:\Windows\system32\Dwm.exe [3504:3532] 000007fef498c2ac
    Thread C:\Windows\system32\svchost.exe [4576:2328] 000000006e238328
    Thread C:\Windows\system32\SearchIndexer.exe [6344:5884] 000007fef3fe39f0

    ---- EOF - GMER 2.1 ----
     
  2. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Please run these two scans and post the logs:

    SCAN 1
    Click on this link to download : ADWCleaner and save it to your desktop.

    NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    Close your browser and click on this icon on your desktop: [​IMG]

    You will then see the screen below, click on the Delete button (as indicated), accept any prompts that appear and allow it to reboot the PC. When the PC has rebooted you will be presented with the report, copy & paste it into your next post.

    [​IMG]



    SCAN 2
    Download RogueKiller (by tigzy) and save direct to your Desktop.
    On the web page select the 32bit or 64bit button to match the bit rate of your version of Windows.

    • Quit all running programs.
    • Start RogueKiller.exe by double clicking on the icon.
    • Wait until Prescan has finished.
    • Ensure all boxes are ticked under "Report" tab.
    • Click on Scan.
    • Click on Report when complete. Copy/paste the contents of the report and paste into your next reply.
    • NOTE: DO NOT attempt to remove anything that the scan detects.

    [​IMG]
     
  3. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    # AdwCleaner v2.112 - Logfile created 02/16/2013 at 11:46:25
    # Updated 10/02/2013 by Xplode
    # Operating system : Windows (TM) Vista Home Premium Service Pack 2 (64 bits)
    # User : yulanda - YULANDA-PC
    # Boot Mode : Normal
    # Running from : C:\Users\yulanda\Downloads\adwcleaner0.exe
    # Option [Delete]


    ***** [Services] *****

    Stopped & Deleted : Partner Service

    ***** [Files / Folders] *****

    Deleted on reboot : C:\Program Files (x86)\Conduit
    Deleted on reboot : C:\Program Files (x86)\Search Toolbar
    Deleted on reboot : C:\Program Files (x86)\WhiteSmoke_B
    Deleted on reboot : C:\ProgramData\Partner
    Deleted on reboot : C:\Users\yulanda\AppData\Local\APN
    Deleted on reboot : C:\Users\yulanda\AppData\Local\Conduit
    Deleted on reboot : C:\Users\yulanda\AppData\Local\Google\Chrome\User Data\Default\Extensions\oelbclnhkbhlhikfmpmbakbgeonbjjnp
    Deleted on reboot : C:\Users\yulanda\AppData\Local\SwvUpdater
    Deleted on reboot : C:\Users\yulanda\AppData\LocalLow\AskToolbar
    Deleted on reboot : C:\Users\yulanda\AppData\LocalLow\Conduit
    Deleted on reboot : C:\Users\yulanda\AppData\LocalLow\Toolbar4
    Deleted on reboot : C:\Users\yulanda\AppData\LocalLow\WhiteSmoke_B
    File Deleted : C:\END
    File Deleted : C:\Users\yulanda\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage
    File Deleted : C:\Users\yulanda\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage-journal

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\HavingFunOnline
    Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
    Key Deleted : HKCU\Software\AppDataLow\Software\WhiteSmoke_B
    Key Deleted : HKCU\Software\AppDataLow\Toolbar
    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\Google\Chrome\Extensions\oelbclnhkbhlhikfmpmbakbgeonbjjnp
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WhiteSmoke_B Toolbar
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKLM\Software\AskToolbar
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler
    Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler.1
    Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
    Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
    Key Deleted : HKLM\SOFTWARE\Classes\TBSB05974.IEToolbar
    Key Deleted : HKLM\SOFTWARE\Classes\TBSB05974.IEToolbar.1
    Key Deleted : HKLM\SOFTWARE\Classes\TBSB05974.TBSB05974
    Key Deleted : HKLM\SOFTWARE\Classes\TBSB05974.TBSB05974.3
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3279141
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.TBSB05974
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.TBSB05974.1
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{97A5591D-4C09-4E06-9228-AC433B73650C}
    Key Deleted : HKLM\Software\WhiteSmoke_B
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{97A5591D-4C09-4E06-9228-AC433B73650C}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F0E59437-6148-4A98-B0A6-60D557EF57F4}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\oelbclnhkbhlhikfmpmbakbgeonbjjnp
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5F074503-997F-4015-BD3A-8773EF1A167E}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{88781F37-140F-4BC0-9A85-31451963F349}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0E59437-6148-4A98-B0A6-60D557EF57F4}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke_B Toolbar
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
    Key Deleted : HKLM\SOFTWARE\Software
    Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    Key Deleted : HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    Key Deleted : HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{F0E59437-6148-4A98-B0A6-60D557EF57F4}]
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{F0E59437-6148-4A98-B0A6-60D557EF57F4}]
    Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
    Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{F0E59437-6148-4A98-B0A6-60D557EF57F4}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.19400

    [OK] Registry is clean.

    -\\ Mozilla Firefox v18.0.2 (en-US)

    File : C:\Users\yulanda\AppData\Roaming\Mozilla\Firefox\Profiles\nut8vgng.default\prefs.js

    [OK] File is clean.

    -\\ Google Chrome v24.0.1312.57

    File : C:\Users\yulanda\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [7996 octets] - [16/02/2013 11:46:25]

    ########## EOF - C:\AdwCleaner[S1].txt - [8056 octets] ##########

    I am running RogeKiller now...those logs to follow
     
  4. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    ogueKiller V8.5.1 _x64_ [Feb 12 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
    Started in : Normal mode
    User : yulanda [Admin rights]
    Mode : Scan -- Date : 02/16/2013 11:58:26
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    [...]


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: TOSHIBA MK3255GSX +++++
    --- User ---
    [MBR] f8eab3404dd8206add746aa97e2ae38d
    [BSP] dc7609e022ae85429facae78fb174122 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 293256 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 603662336 | Size: 10488 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1]_S_02162013_02d1158.txt >>
    RKreport[1]_S_02162013_02d1158.txt
     
  5. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    There is no need to quote my posts in your replies.

    ADWCleaner removed quite a lot of junk, has there been any improvement.

    RogueKiller found nothing so please run the scan below:



    Please follow the instructions exactly as written, deviating from the instructions and trying to fix anything before I have seen the logs may make your PC unbootable. If TDSSKiller does not offer the Cure option DO NOT select delete as you may remove files needed for the system to operate.

    Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!
    -- The tool is frequently updated...if you used TDSSKiller before, delete that version and download the most current one before using again.

    Be sure to print out and follow the instructions for performing a scan.

    • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
    • Alternatively, you can download TDSSKiller.exe and use that instead.
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If an update is available, TDSSKiller will prompt you to update and download the most current version. Click Load Update. Close TDSSKiller and start again.


    • When the program opens, click the Change parameters.

      [​IMG]

    • Under "Additional options", check the boxes next to Verify file digital signatures and Detect TDLFS file system, then click OK.

      [​IMG]

    • Click the Start Scan button.

      [​IMG]

    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If 'Suspicious objects' are detected, the default action will be Skip. Leave the default set to Skip and click on Continue.
    • If Malicious objects are detected, they will show in the Scan results - Select action for found objects: and offer three options.

      [​IMG]

    • Ensure Cure is selected...then click Continue -> Reboot computer for cure completion.

      [​IMG]

    • Important! -> If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed. If you choose Delete you may remove critical system files and make your PC unstable or possibly unbootable.
    • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C: ).
    • Copy and paste the contents of that file in your next reply.

    -- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it to something else before beginning the download and saving to the computer or to perform the scan in "safe mode".
     
  6. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    Ok....the loading is really a lot faster and so is the surfing.

    I used TDSS and it didn't find anything, drivers for my computer and the light scribe application. The issues with the redirecting happen a lot with Mozilla Firefox. Do you have any recommendations to help with that? Does the lack of malicious objects in Kaspersky mean that there is nothing there now?
     
  7. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    The Kaspersky tool only scans for Rootkits so that is no guarantee the machine is clean, it is encouraging that your systems performance has improved, but clearly there is still a problem with Firefox.


    Please run Firefox with no Add-ons to see if the redirects stop.
    With Firefox open click on Help then click on Restart with Add-ons disabled.

    I'd also like to check the file that MSE was detecting:

    Please download SystemLook from one of the links below and save it to your Desktop.



    • Double-click SystemLook.exe to run it.
    • Vista/Windows 7 users right-click and select Run As Administrator.
    • Copy and paste everything in the codebox below into the main textfield:
      Code:
      :filefind
      WBEMESS.DLL
    • Click the Look button to start the scan.
    • When finished, a Notepad window will open SystemLook.txt with the results of the search and save a copy on your Desktop.
    • Please copy and paste the contents of that log in your next reply.
     
  8. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    Sorry, I was at work when I got this...here you go. I will run firefox like you suggested.


    SystemLook 30.07.11 by jpshortstuff
    Log created at 16:48 on 17/02/2013 by yulanda
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "WBEMESS.DLL"
    C:\Windows\System32\wbem\wbemess.dll --a---- 513024 bytes [02:50 21/01/2008] [02:50 21/01/2008] 8D94313E7A7786997B4C362B7CCB5D29
    C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-wbemess-dll_31bf3856ad364e35_6.0.6001.18000_none_bff3eaa7e7fe5875\wbemess.dll --a---- 513024 bytes [02:50 21/01/2008] [02:50 21/01/2008] 8D94313E7A7786997B4C362B7CCB5D29
    C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-wbemess-dll_31bf3856ad364e35_6.0.6002.18005_none_c1df63b3e52023c1\wbemess.dll --a---- 513024 bytes [02:50 21/01/2008] [02:50 21/01/2008] 8D94313E7A7786997B4C362B7CCB5D29
     
  9. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    no redirects in firefox today so far
     
  10. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Sounds encouraging with Firefox, see how it goes and if no more redirects happen then it was probably due to an Add-on. With Firefox open click on Tools and then Add-ons, click on the Extensions tab and Disable/Remove any item you don't recognize.

    Now for the wbemess.dll file, System look has not found it where your Anti Virus did and the hash number is different so we need to check the file is there still and then get it scanned on-line.

    First do this to unhide system files:
    Open WIndows Explorer.
    Click on Organize in the top left corner and select Folder and search options.
    Click on the View tab.
    Just below Hidden files and folders click the circle next to Show hidden files, folders or drives so it turns blue.
    Look down a few lines and uncheck the box next to Hide protected operating system files (Recommended)
    Click on Apply and then OK.

    Now see if you can find this file.

    C:\WINDOWS\SYSWOW64\WBEM\WBEMESS.DLL

    If it is there do this, if not let me know.

    Go to one of the following online services that analyzes suspicious files:

    In the "File to Scan" (Upload or Submit) box, click the "browse" button and locate the file.

    Click "Open", then click the "Submit" button. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
    -- Post back with the results of the file analysis in your next reply.
     
  11. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    The file was not found on a search with the hidden program files search. I see that it did get picked up by reg run on 2/12 at: 1:34pm and 1:51 pm, it only shows in the notepad log files. It is still searching...taking a while. Something that I did overlook, I forgot to turn off my windows security real time protection during the scans...would that prevent the SystemLook from finding the file?
     
  12. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    The Windows Security protection should not have stopped SystemLook finding the file.

    It would be best to search for the file manually using Windows Explorer, open the C: drive, then Windows folder, then Syswow64, then Wbem and see if it is there.
     
  13. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    Doing a manual search, I found the wbem file, but no dll it shows a wmbmess.tmf file only....but when I ran just the explorer search of the whole file it took forever but never showed it was complete.
     
  14. yrawls

    yrawls Thread Starter

    Joined:
    Jul 15, 2009
    Messages:
    28
    I really do think that it is ok now. I can search and my computer loads like it did a few months ago. If I have any trouble, I will repost. Very fast with the replies...U rock, thanks Mark
     
  15. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    You're welcome. I am glad to hear everything is running smoothly.

    There is one final check we always like to run to make sure you don't have any programs that are out of date that could pose a security risk.

    Download Security Check by screen317 from Here or Here.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please Copy & Paste the contents of that document into your next reply.


    Any of the tools that have been used can simply be deleted from your desktop along with any log files.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1089706

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice