Desktop computer compromised, running slow, not updating. Please can you help?

redmandarin

closed wrote: »

where did windows 8 suddenly appear from, IE8?

hijackthis log

Sorry I meant IE8, I can't think (or type) straight, it's freezing!

Hijack this to follow!

redmandarin

Hi, I've just tried to post an updated Hijack This log from my desktop, but got an MSE notification to say it has been blocked.

closed

see the alternative method of posting in the speedup sticky, and creating a thread in site feedback would be useful to badger the adminstrators into fixing this posting problem

redmandarin

Thanks, closed

http://freetexthost.com/blrzey2jps

closed

The best way of cleaning up a slow or badly infected machine is to backup all your data to an external drive, and do a factory restore using the factory restore partition (see manual or manufacturers website) or Windows disc. The alternative is to do it manually as follows (the list may look daunting, but should take less than an hour of effort (apart from virus scans)) :-

This is a general guide on cleaning up infections and speeding up pc's, https://forums.moneysavingexpert.com/discussion/2436849 , the following advice is based on the contents of that thread, but tailored to your machine, if you've followed the thread fully since posting a hijackthis log, much of this advice will be redundant. All the software you need to install is free

Making any changes to a PC setup always comes with a slight risk of something going wrong, the worse case scenario is an unbootable PC - ideally you should have got a backup of important data on dvd or external disk, and a disk image backup (http://www.macrium.com/reflectfree.asp) or windows disc/factory restore partition available before you start. In the unlikely event that anything does go wrong, post on another pc for advice.

__________________________________________________


********************************************************************************************

If you haven't already done it, Install Malwarebytes and do a FULL (not quick) scan (after updating it), fix anything found before closing, otherwise you'll have to do it all over again. You may get prompted asking if you want to run the free 14 day trial during install, I suggest you decline this offer, as it will slow things down. If anything was found reboot the machine before continuing. http://www.filehippo.com/download_malwarebytes_anti_malware/


uninstall superantispyware, pctools firewall, windows defender


__________________________________________________


Install and run startuplite, accept suggested changes - http://www.malwarebytes.org/StartUpLite.exe

__________________________________________________

Unless you need them running all the time, use the startup tab in msconfig (start, run, msconfig )to disable these items from running at startup (they can always be run manually if needed). When you reboot after doing this, you will get a prompt about selective startup - tick Don't show this message or launch the system configuration utility when windows starts,and click ok

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

If you are posting because the machine is slow and haven't done so already, post your physical ram total, commit charge total, commit charge peak by doing CTRL ALT DEL, Task manager, performance - after virus infections, and bloated security applications, this is the principle reason XP machines slow down so this information is important to help you


__________________________________________________


Install and run ccleaner (untick the google toolbar during the install). Untick the "windows log files" box, under the system heading before cleaning. Also Tick the java cache tick box under CCleaner, applications, internet to wipe the java cache which sometimes hides infections. http://www.piriform.com/ccleaner/download/slim


Disable ctfmon - control panel, regional and language options,languages, details, advanced, tick the Turn off advanced text services, ok

Click the java icon in control panel, updates, untick check for updates

__________________________________________________

Using Hijackthis, tick and fix these entries
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173629298812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173629274578
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://domino.mbs.ac.uk/dwa7W.cab

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
__________________________________________________

Uninstall any IE toolbars (browser helper objects or BHO's) in Control panel, or Firefox/chrome plugins that you don't need. This is a list of the IE BHO's evident in the log, (firefox/chrome plugins don't show up in hijackthis). To disable IE addons, see IE, tools, manage addons

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Disable (vista/W7) or uninstall (XP) Windows Defender. To disable windows defender on vista or windows 7 - from the start menu, windows defender, tools, options, untick use real-time protection, under administrator options, untick use windows defender and untick allow everyone to use windows defender, click save to save settings. XP users can either do this or preferably uninstall it in control panel instead.

__________________________________________________

delete the googleupdate task from c:\windows\tasks and disable any google update services using services.msc

Download and install cleanmem http://www.pcwintech.com/cleanmem (download direct download). (important:use the "download direct download" link on pcwintech.com, not one from a 3rd party hosting site, the correct filename starts with cleanmem_xxxxx_setup.exe) - if you go to a 3rd party site, you could end up installing a completely different piece of software. Although the site is a little confusing, Cleanmem is free, the paid for version is not needed!

__________________________________________________

Disable error reporting (but leave notify me when critical errors occur ticked), in control panel, system, advanced error reporting

start, run, services.msc - disable these services UNLESS you use them. (make a note of any services you disable,if you have any problems related to these services subsequently, simply re-enable them)

SSDP Discovery Service
Remote Registry
WebClient
Distributed Link Tracking Client

Also disable these services if you don't use them by running services.msc (or uninstall the underlying software)
C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\cisvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

Uninstall any software for equipment that you no longer have or use, eg old printers/phones/camera's/satnavs/adsl usb modems - possible examples (you may or may not still use attached to the machine) are:
epson

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKCU\..\Run: [EPSON SX210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFDE.EXE /FU "C:\WINDOWS\TEMP\E_S177.tmp" /EF "HKCU"
canon


apple

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
hewlett


tomtom

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
eric

aio

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

__________________________________________________

When you've done all that, reboot, note the commit charge before opening any applications, and post it along with a fresh hijackthis log and any logs of infections

When you are happy the machine is working optimally, backup to an external drive, using the image this disk feature (not clone) of http://www.macrium.com/reflectfree.aspx and create a macrium rescue cd at the end of the backup, then if anything goes wrong in future, you can restore a fully working system with all data and programs intact, in minutes

closed

is this hogging the cpu in task manager?

C:\WINDOWS\system32\tcpsvcs.exe

redmandarin

Wow, thanks closed, that's brilliant!

Do you think the machine may be infected, by the way?

redmandarin

closed wrote: »

is this hogging the cpu in task manager?

C:\WINDOWS\system32\tcpsvcs.exe

Processes states 436k

closed

nothing apparent, avast + malwarebytes didn't find anyhting, your problem is probably bloat, most of which will go if you uninstall superantispyware, pc tools firewall, windows defender, and fix the o4's suggested, all of which should take you 5 mins.

redmandarin

Thanks for your continued help.

I realise this is probably not what techie's like to hear, but as I'm not experienced in this kind of thing I'd feel more confident doing a manual clean up, rather than having the responsibility of doing a factory restore and then trying to put it all together again - without screwing it up - if that's ok?

Obviously, I'll back up to a hard drive. And I'll replace the battery & add additional ram as advised - should I do these before or after I do the clean up?

I'm really grateful for the clean up instructions, but I'm sorry I don't understand it all - I'm not familiar with some of the jargon and some steps in the various processes; and which single elements would be ok to remove and which not.

I really want to learn more. Would it be ok for me to post some queries about the bits I don't understand? Thank you.