Slow, Locks Up, Dialer, Pops, the norm

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

JobyJoby

Thread Starter
Joined
Apr 1, 2010
Messages
2
G' Morning Masters,

Let me say first that I have been using you guys for years w/o ever logging in. For tht I am forever in your debt. I am some what responsible for several family machines and in the past I have solved all issues by reading past posts, google and HJT at my own risk. I am just smart enough to take care of my own macines, and just stupid enough to help with chit i can not handle on others machines. But now I find myself addressing a new machine that is top heavy with malware. It belongs to my Broth In Law (BIL) and it is a dog. I am only in town for a couple days and won't be around for the fall out. None the less I have to do what I can. So thanks in advance, and this is where we are:

Machine: Old Sony Vario laptop; P4 266Ghz 500MB RAM; XP Home SP3: Kaspersky 9 (although not working well and BIL says mach will not allow AV updates).

Symptoms: Slow, Locks up, won't allow AV downloads or updates, pop-ups, Dialer Pop Ups (T-Online). etc. The Norm.

History:

He uses Kaspersky. I am not familiar with it and the GUI is in german (me no speaky). But I do get a bit.

Kaspersky is MAD at a few things related to Combofix (mbr.cfxxe, handle.cfxxe cf4228). Now I doubt my BIL is savy enough to have loaded a Combo fix utility in the past, but it does look like a failure to fully unistall a combofix tool after use; or .... malware hiding as combofix?

Kaspersky is also repeatedly complaining about PMD related stuff. pmd.invader pmd.private and they all seem to be related to T-Online. T-Mobile is their ISP, and i have already killed (Spybot) a few Dialers that had hooked into that, but Kaspersky still pissy.

One thing my BIL says he needs to keep is: Personal ID (PID.exe). It appears to be an aggrigate log in App, mostly here in germany. I don't know what sites it allows him to get into, don't want to know. but he says he needs it. Fair Play.

Also, they have a cutsie thing installed that turns the cursor into a lil blue or yello dinosaur with running legs. I cn't find it, otherwise I'd kill it. cute enough, but my experience is that those Apps are always associated w malware.

So far: I loaded Avast and ran a scan (always a bad idea when another AV (Kaspersky) is already resisdent, but i did it) Avast found nothing. Can't remember if I ran it in XP Safe Mode or norm, but it found nothing (had to load it by a thumb drive as well, since the malware was blocking AV downloads). Unistalled it now.

Spybot: put that on by thumb as well and in safe mode it found it: eGroup.InstantAccess; FastClick; Holistyc (Dialer); LiveSVC.Wintrim (trojan) MainPenn (Dialer); and AppFirewallBypass. Killed em all as far as i know.

Machine is still as slow as Siberian Winter Dog Poo. so.....

If I had time with this machine, I would extract files to build a new image and throw in a new hard drive. I don't have the time and... really the hardware isn't worth it.

So after the Spybot and (unsucessful) Avast I ran HJT. Log below. I am fairly certain that no matter what we do, there is stuff that has imbedded itself in the Ops programs and it will always be a dog until I can re-image it. Thoughts Theories and Theologies welcome.

Thanks in advance for your help. I am trying to do well in this life so that in my next life I might come back as one of you guys (or maybe just an apple) ;)

HJT log below

Thanks in advance for this, and retro-Thanks for all the hundreds of issues ya'll have helped me solve without knowin it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:50:33, on 01.04.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programme\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programme\Sony\HotKey Utility\HKserv.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\PROGRA~1\COOLSP~1\PERSON~1\PID.EXE
C:\Programme\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Programme\Microsoft Office\Office\FINDFAST.EXE
C:\Programme\Microsoft Office\Office\OSA.EXE
C:\Programme\Sitecom Wireless LAN\WLANUTL.exe
C:\Programme\PC Connectivity Solution\ServiceLayer.exe
C:\Programme\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programme\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programme\Apoint\Apvfb.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\Programme\Sony\HotKey Utility\HKWnd.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\spider.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: GMX Browser Configuration by mquadr.at - {D48FF4B4-E68F-47D1-8E25-81A0F0EEB341} - C:\WINDOWS\system32\ieconfig_1und1.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programme\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [Personal ID] C:\PROGRA~1\COOLSP~1\PERSON~1\PID.EXE
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programme\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ccleaner] "C:\Programme\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet T Series-Start.lnk = C:\Programme\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.webplaner-innoplus.de/innova/pano/prog/rundum.7.0.2.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173783672807
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp01.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\GEMEIN~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O24 - Desktop Component 0: (no name) - http://images.nfl.com/images/hdr-home.gif
O24 - Desktop Component 1: (no name) - http://www.edeka.de/EDEKA/Grafiken/Head/Jubilaeum/kopf_01.gif
--
End of file - 6941 bytes
 

JobyJoby

Thread Starter
Joined
Apr 1, 2010
Messages
2
Please Please Please. today is my last day to get this done for my Brother In Law. Tomorrow I am back to France for two weeks and then off to Iraq. The machine is some what better now, but I still need help!!! Thanks in advance, Joby
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top