Computer playing up, pls look at my hijack log

GunJack

yes, CF is very good , but even it has it's limitations, that Dr Web usually sorts

RussJK

spakkker wrote: »

I have used combofix many times - it's very good. I don't understand how it works . . . so what?? That caveat is always brought up and is why I've given up recommend CF on this forum - fed up with the inevitable, unqualified comments that follow..

Agreed. OTOH in the past (e.g. around 2009) CF was a tool that would often cause more trouble than it fixed - at least in my own experience - so I tend to be slow to use or recommend it even though it's come a long way since then.

I do tend to find and clean leftovers of it from clients' machines, so I'd say it's in fairly common usage by computer shops.

waddler_8 wrote: »

HijackThis is/was intended to show possible settings and load points affected by malware.

Still useful for most trojans, as well as a general purpose diagnostic for troubleshooting problems. I generally use HJT +/- Autoruns as a first look, then study either OTL or DDS logs while one of the automated scans are running.

kaza

Malwarebytes' Anti-Malware 1.51.1.1800
https://www.malwarebytes.org

Database version: 7463

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/08/2011 12:09:09
mbam-log-2011-08-14 (12-09-06).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 275758
Time elapsed: 2 hour(s), 17 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

waddler_8

Lets see if some more information might help us. Is it just the Internet that runs slow, or the computer as a whole?


Download SINO by Artellos. http://www.artellos.com/ccount/click.php?id=9 (Download Links: Latest exe download) & save it to Your Desktop




Double click SINO.exe to run it. Then check (tick) the following checkboxes:

System Info
Event log

• Once checked, hit the Run Scan! button and wait for the program to finish the scan.
• A notepad window will pop up. Copy all of the content of the notepad file and post it into your next reply. (You might have to split it over 2 or more posts.)

　
　

kaza

waddler_8 wrote: »

Lets see if some more information might help us. Is it just the Internet that runs slow, or the computer as a whole?


Download SINO by Artellos. http://www.artellos.com/ccount/click.php?id=9 (Download Links: Latest exe download) & save it to Your Desktop




Double click SINO.exe to run it. Then check (tick) the following checkboxes:

System Info
Event log

• Once checked, hit the Run Scan! button and wait for the program to finish the scan.
• A notepad window will pop up. Copy all of the content of the notepad file and post it into your next reply. (You might have to split it over 2 or more posts.)

　
　

System Investigator by Olrik
Log Created On: 2239_14-08-2011
SINO Version: 3.1.0.0

Total RAM: 894 MB | Free RAM: 99 MB | Pagefile Size: 2168 MB
C: | 28882 MB out of 57223 MB Free | Local Fixed Disk
| None | CD-ROM Disc

<<<< System Information >>>>

Computer Name: KAREN-B497AA490
Username: KAREN
Language Setting: ENG
Windows Directory: C:\WINDOWS
Windows Version: Windows XP Service Pack 3

<<<< Last 5 Application Errors or Warnings >>>>

Computer Name: KAREN-B497AA490 | ID: 1001 | Source: Application Hang | Type: Error | Date: 14-8-11 13:11:8 | Log: Application
Message: Fault bucket -1769735916.


Computer Name: KAREN-B497AA490 | ID: 1002 | Source: Application Hang | Type: Error | Date: 14-8-11 13:11:0 | Log: Application
Message: Hanging application mbam.exe, version 1.51.1.1076, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


Computer Name: KAREN-B497AA490 | ID: 1001 | Source: Microsoft Security Client | Type: Error | Date: 14-8-11 11:7:21 | Log: Application
Message: <The description for Event ID ( 1001 ) in Source ( u'Microsoft Security Client' ) could not be found. It contains the following insertion string(s):u'Microsoft Security Client, FEP clean-up policy, , 0x80040154'.>
Computer Name: KAREN-B497AA490 | ID: 1517 | Source: Userenv | Type: Warning | Date: 13-8-11 17:59:12 | Log: Application
Message: Windows saved user KAREN-B497AA490\KAREN registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.





This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.


Computer Name: KAREN-B497AA490 | ID: 1020 | Source: ASP.NET 2.0.50727.0 | Type: Warning | Date: 10-8-11 11:42:26 | Log: Application
Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.


<<<< Last 5 System Errors or Warnings >>>>

Computer Name: KAREN-B497AA490 | ID: 1116 | Source: Microsoft Antimalware | Type: Warning | Date: 14-8-11 10:55:16 | Log: System
Message: <The description for Event ID ( 1116 ) in Source ( u'Microsoft Antimalware' ) could not be found. It contains the following insertion string(s):u'%%860, 3.0.8402.0, {F1E6EFA8-5408-40C3-8D67-F901D78C226A}, 2011-08-14T09:55:06.875Z, , , 2147626071, Trojan:Win32/Orsam!rts, 4, High, 8, Trojan, http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Orsam!rts&threatid=2147626071, 1, , 1, 3, %%818, C:\\Program Files\\AVAST Software\\Avast\\ashQuick.exe, KAREN-B497AA490\\KAREN, , file:_C:\\DOCUME~1\\KAREN~1.KAR\\LOCALS~1\\Temp\\_avast_\\unp158091714.tmp, 1, %%845, 1, %%813, 0, %%822, 0, 9, %%887, , 0x00000000, The operation completed successfully. , , 0, 0, No additional actions required, , , AV: 1.109.1785.0, AS: 1.109.1785.0, NIS: 0.0.0.0, AM: 1.1.7104.0, NIS: 0.0.0.0'.>
Computer Name: KAREN-B497AA490 | ID: 1003 | Source: Dhcp | Type: Warning | Date: 14-8-11 9:30:16 | Log: System
Message: Your computer was not able to renew its address from the network (from the

DHCP Server) for the Network Card with network address 0016E3BF4B41. The following

error occurred:

%%1223.

Your computer will continue to try and obtain an address on its own from

the network address (DHCP) server.


Computer Name: KAREN-B497AA490 | ID: 1003 | Source: Dhcp | Type: Warning | Date: 14-8-11 9:9:47 | Log: System
Message: Your computer was not able to renew its address from the network (from the

DHCP Server) for the Network Card with network address 0016E3BF4B41. The following

error occurred:

%%1223.

Your computer will continue to try and obtain an address on its own from

the network address (DHCP) server.


Computer Name: KAREN-B497AA490 | ID: 29 | Source: W32Time | Type: Error | Date: 14-8-11 9:7:3 | Log: System
Message: The time provider NtpClient is configured to acquire time from one or more

time sources, however none of the sources are currently accessible.

No attempt to contact a source will be made for 14 minutes.

NtpClient has no source of accurate time.


Computer Name: KAREN-B497AA490 | ID: 17 | Source: W32Time | Type: Error | Date: 14-8-11 9:7:3 | Log: System
Message: Time Provider NtpClient: An error occurred during DNS lookup of the manually

configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15

minutes.

The error was: A socket operation was attempted to an unreachable host. (0x80072751)


<<<< Special Events >>>>

Computer Name: KAREN-B497AA490 | ID: 1006 | Source: Windows Product Activation | Type: Information | Date: 14-6-11 12:39:44 | Log: Application
Message: You have successfully activated your Windows product. Thank you.




Computer Name: KAREN-B497AA490 | ID: 1005 | Source: Windows Product Activation | Type: Warning | Date: 14-6-11 11:49:31 | Log: Application
Message: Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within 30 days.

---

End of File

---

Thanks for your time and effort I appreciate it, I never use it apart from on the web so I am not too sure it its slow at other times, at the moment its ok, I have deleted mse and put on Avast

Karen

waddler_8

Nothing glaringly obvious there. The MSE detection in there looks like it detected Avast as you installed it. It's better to uninstall an AV before installing a replacement.

Do this for me.

Press Start > Run, then copy/paste the command inside the codebox below into the run box and press OK:

cmd /c chkdsk c: |find /v "percent" >>"%userprofile%\desktop\checkhd.txt"

A command window will open and then close in a few minutes when completed.
A file named checkhd.txt should appear on your Desktop. Post the contents of that file.

kaza

waddler_8 wrote: »

Nothing glaringly obvious there. The MSE detection in there looks like it detected Avast as you installed it. It's better to uninstall an AV before installing a replacement.

Do this for me.

Press Start > Run, then copy/paste the command inside the codebox below into the run box and press OK:

cmd /c chkdsk c: |find /v "percent" >>"%userprofile%\desktop\checkhd.txt"

A command window will open and then close in a few minutes when completed.
A file named checkhd.txt should appear on your Desktop. Post the contents of that file.

Thanks,
The command window stays open for a few minutes and then closes, but no file has appeared (I have tried twice)

waddler_8

Press Start > Run, then copy/paste the command inside the codebox below into the run box and press OK:

notepad "%userprofile%\desktop\checkhd.txt"

What happens - any error messages?

GunJack

Total RAM: 894 MB | Free RAM: 99 MB

this will probably turn out to be the most important factor in this case..... suggest the OP follows closed's excellent sticky on speeding up a slow pc, then reports back on this thread if stuck

waddler_8

Quite possible, but I would expect the PC to run consistantly poor and not "great for hours/days" and then slow considerably.