1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Slow, Locks Up, Dialer, Pops, the norm

Discussion in 'Virus & Other Malware Removal' started by JobyJoby, Apr 1, 2010.

Thread Status:
Not open for further replies.
  1. JobyJoby

    JobyJoby Thread Starter

    Joined:
    Apr 1, 2010
    Messages:
    2
    G' Morning Masters,

    Let me say first that I have been using you guys for years w/o ever logging in. For tht I am forever in your debt. I am some what responsible for several family machines and in the past I have solved all issues by reading past posts, google and HJT at my own risk. I am just smart enough to take care of my own macines, and just stupid enough to help with chit i can not handle on others machines. But now I find myself addressing a new machine that is top heavy with malware. It belongs to my Broth In Law (BIL) and it is a dog. I am only in town for a couple days and won't be around for the fall out. None the less I have to do what I can. So thanks in advance, and this is where we are:

    Machine: Old Sony Vario laptop; P4 266Ghz 500MB RAM; XP Home SP3: Kaspersky 9 (although not working well and BIL says mach will not allow AV updates).

    Symptoms: Slow, Locks up, won't allow AV downloads or updates, pop-ups, Dialer Pop Ups (T-Online). etc. The Norm.

    History:

    He uses Kaspersky. I am not familiar with it and the GUI is in german (me no speaky). But I do get a bit.

    Kaspersky is MAD at a few things related to Combofix (mbr.cfxxe, handle.cfxxe cf4228). Now I doubt my BIL is savy enough to have loaded a Combo fix utility in the past, but it does look like a failure to fully unistall a combofix tool after use; or .... malware hiding as combofix?

    Kaspersky is also repeatedly complaining about PMD related stuff. pmd.invader pmd.private and they all seem to be related to T-Online. T-Mobile is their ISP, and i have already killed (Spybot) a few Dialers that had hooked into that, but Kaspersky still pissy.

    One thing my BIL says he needs to keep is: Personal ID (PID.exe). It appears to be an aggrigate log in App, mostly here in germany. I don't know what sites it allows him to get into, don't want to know. but he says he needs it. Fair Play.

    Also, they have a cutsie thing installed that turns the cursor into a lil blue or yello dinosaur with running legs. I cn't find it, otherwise I'd kill it. cute enough, but my experience is that those Apps are always associated w malware.

    So far: I loaded Avast and ran a scan (always a bad idea when another AV (Kaspersky) is already resisdent, but i did it) Avast found nothing. Can't remember if I ran it in XP Safe Mode or norm, but it found nothing (had to load it by a thumb drive as well, since the malware was blocking AV downloads). Unistalled it now.

    Spybot: put that on by thumb as well and in safe mode it found it: eGroup.InstantAccess; FastClick; Holistyc (Dialer); LiveSVC.Wintrim (trojan) MainPenn (Dialer); and AppFirewallBypass. Killed em all as far as i know.

    Machine is still as slow as Siberian Winter Dog Poo. so.....

    If I had time with this machine, I would extract files to build a new image and throw in a new hard drive. I don't have the time and... really the hardware isn't worth it.

    So after the Spybot and (unsucessful) Avast I ran HJT. Log below. I am fairly certain that no matter what we do, there is stuff that has imbedded itself in the Ops programs and it will always be a dog until I can re-image it. Thoughts Theories and Theologies welcome.

    Thanks in advance for your help. I am trying to do well in this life so that in my next life I might come back as one of you guys (or maybe just an apple) ;)

    HJT log below

    Thanks in advance for this, and retro-Thanks for all the hundreds of issues ya'll have helped me solve without knowin it.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:50:33, on 01.04.2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Programme\Apoint\Apoint.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Programme\Sony\HotKey Utility\HKserv.exe
    C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
    C:\Programme\FreePDF_XP\fpassist.exe
    C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
    C:\PROGRA~1\COOLSP~1\PERSON~1\PID.EXE
    C:\Programme\Nokia\Nokia PC Suite 7\PCSuite.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
    C:\Programme\Microsoft Office\Office\FINDFAST.EXE
    C:\Programme\Microsoft Office\Office\OSA.EXE
    C:\Programme\Sitecom Wireless LAN\WLANUTL.exe
    C:\Programme\PC Connectivity Solution\ServiceLayer.exe
    C:\Programme\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Programme\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Programme\Apoint\Apvfb.exe
    C:\Programme\Apoint\Apntex.exe
    C:\Programme\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
    C:\Programme\Sony\HotKey Utility\HKWnd.exe
    C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
    C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
    C:\Programme\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\spider.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: GMX Browser Configuration by mquadr.at - {D48FF4B4-E68F-47D1-8E25-81A0F0EEB341} - C:\WINDOWS\system32\ieconfig_1und1.dll
    O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programme\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
    O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
    O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
    O4 - HKCU\..\Run: [Personal ID] C:\PROGRA~1\COOLSP~1\PERSON~1\PID.EXE
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programme\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
    O4 - HKCU\..\Run: [ccleaner] "C:\Programme\CCleaner\CCleaner.exe" /AUTO
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
    O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP OfficeJet T Series-Start.lnk = C:\Programme\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O9 - Extra button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
    O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.webplaner-innoplus.de/innova/pano/prog/rundum.7.0.2.0.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173783672807
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp01.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\GEMEIN~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
    O24 - Desktop Component 0: (no name) - http://images.nfl.com/images/hdr-home.gif
    O24 - Desktop Component 1: (no name) - http://www.edeka.de/EDEKA/Grafiken/Head/Jubilaeum/kopf_01.gif
    --
    End of file - 6941 bytes
     
  2. JobyJoby

    JobyJoby Thread Starter

    Joined:
    Apr 1, 2010
    Messages:
    2
    Please Please Please. today is my last day to get this done for my Brother In Law. Tomorrow I am back to France for two weeks and then off to Iraq. The machine is some what better now, but I still need help!!! Thanks in advance, Joby
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/914141

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice