System cleaned, but still really slow

[frederik]

Hi,

I was kindly redirected to this forum, hope this is the right spot.

I few months ago, my Windows XP got infected by a load of trojans and other malware, including the Vundo trojan, which brought my computer to its knees. I was unable to remove the malware until I came across Malwarebytes Antimalware, which has been running on my system ever since. Thank you very much for an excellent piece of software, I happily signed up for the full version.

Now, I run Spy Search and Destory (but not the teatimer), Adware, XP Antispy and Malwarebytes on top of each other. I dont know if this is a good idea to run all this stuff on top of each other?

I am not sure if I am still infected, but since Ive cleaned up as much as I think I can, and I would be grateful for an expert opinion.

Edit:

Actually, just before running the Malwarebytes scan, I saw that 5 files was quarnetined, and the Vundo was back along with a few friends. I deleted all 5 files before scanning again, was this a mistake, keeping you from seeing valuable information?

Below is a HiJack This report and latest MBAM logfile.

Logfile of HijackThis v1.99.1

Scan saved at 23:50:31, on 29-03-2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\lotus\notes\ntmulti.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe

C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Frederik\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmtn.dk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 255.255.255.255 broadcasthost

O1 - Hosts: ::1 localhost

O1 - Hosts: 216.34.181.45 s # slashdot.org

O1 - Hosts: 216.239.39.99 g # google.com

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java

[miekiemoes]

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {B47E4A4A-8A4B-4DFE-9473-0B05A3E02B34} - (no file)

O2 - BHO: (no name) - {EBC90E7E-BBC5-4B45-A1C2-49227B5F2294} - (no file)

O2 - BHO: (no name) - {ec423c51-a1ae-475d-a559-90f453b24c7c} - (no file)

O20 - AppInit_DLLs: apqapl.dll nyngqz.dll dyepab.dll jtumui.dll,zhduef.dll ikqbyt.dll

O20 - Winlogon Notify: vtUlIYqR - C:\WINDOWS\

Check these if you didn't set them:

O1 - Hosts: 255.255.255.255 broadcasthost

O1 - Hosts: ::1 localhost

O1 - Hosts: 216.34.181.45 s # slashdot.org

O1 - Hosts: 216.239.39.99 g # google.com

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Let me know in your next reply how things are now.

By the way, is there any reason why you don't have an Antivirus installed?

[fab]

Hi,

Thanks for a quick reply.

About 5 mintues after I posted the above, my disk failed. So it turned out that one of the reasons it was so slow was becuase of errors on the disk. Just bought a new one, and it is currently installing.

The software from Malware bytes will be among the very first things I install !

Thanks,

Frederik

[miekiemoes]

Hi,

Thanks for the feedback.

Your computer was also infected though, so Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.