[Resolved] Dell Dimension 2350 running slow

[mmi16]

Thanks -

I was not aware of the bells & whistles on this forum.

[1972vet]

SunBelt's CounterSpy has been discontinued. It appears that you downloaded the setup executable. It was at one time an excellent piece of software but today, I wouldn't even consider it now that it's support will end in just over a month.

The log indicates that combofix has been run for a total (so far) of 4 times on that machine. I'd like to see the other logs produced, which would be located in the qoobox folder at the root of c:\.

You have ERUNT installed. Combofix will install it if you haven't. One of the combofix findings, is of an unsigned file copy (well, a couple of them).

Combofix found a suitable copy from which to correct this. That copy was found in one of your ERUNT backup copies made...years ago. The ERUNT copy that combofix found was made  on 1/31/09. You should locate the copy that ERUNT made from that date and delete it. Ask me if you need instructions how to do that...otherwise, please read on.

I should also ask, when you installed it (if you did), did you opt to allow ERUNT to create a backup with each reboot? I might point out, that if you did do that, then you should also monitor the number of backup copies that ERUNT has made and make it a habit to delete old copies much quicker than the nearly three years since it made the file in question. Allowing ERUNT to make copies with each reboot is something that, if left alone, could cause a serious "free space" shortage that will most certainly affect performance...specifically, one would complain of slow performance issues. If you in fact did not install ERUNT, then we need to assume the copy was made when combofix was run way back then. If that's the case, you can disregard the request for the other combofix logs in the qoobox folder.

Next, please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


KILLALL::

FCopy::
c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll | c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
c:\windows\SYSTEM32\DLLCACHE\mspmsnsv.dll | c:\windows\SYSTEM32\mspmsnsv.dll

Folder::
c:\program files\Yontoo Layers Client
c:\program files\Florida Sea Sm\screen saver
c:\documents and settings\Chuck\Application Data\Imixmi
c:\program files\Common Files\McAfee

Driver::
mfetdi2k
mfendisk
diwfadgf
mfevtp
cfwids
mfefirek
mfendisk
mferkdet

Rootkit::
c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys
c:\windows\SYSTEM32\DRIVERS\mfendisk.sys
c:\windows\system32\drivers\diwfadgf.sys
c:\windows\SYSTEM32\DRIVERS\cfwids.sys
c:\windows\SYSTEM32\DRIVERS\mfefirek.sys
c:\windows\SYSTEM32\DRIVERS\mfendisk.sys
c:\windows\SYSTEM32\DRIVERS\mferkdet.sys

File::
c:\program files\VNC.exe
c:\program files\counterspy-setup.exe
c:\program files\Common Files\SM1updtr.dll

DDS::
Trusted Zone:

Reglock::
[HKEY_USERS\S-1-5-21-2031567766-2786617065-2852452587-1006\Software\Microsoft\SystemCertificates\AddressBook*]

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Florida Sea Sm screen saver"=-
"Florida Sea Sm web link"=-
"{AF3B420A-1581-F3AD-3394-2621EA86BB85}"=-

[mmi16]

Did a search for ERUNT - didn't find any thing.

How is it located?

[1972vet]

You can find it in Windows but the fact you even asked means to me, that you evidently didn't install it so I wouldn't concern yourself.

[mmi16]

Attached is the prior ComboFix log...It was run by a computer tech I hired because of problems that poped up in April of this year.  As a result of this incident, the tech removed McAfee and installed Microsoft Security Essentials

[mmi16]

In browsing Windows I don't see ERUNT but I do see a folder ERDNT - any relation?

[mmi16]

One other piece of info I'll throw out (short remember stages as I get older)

The Display Properties (right click on a clear desktop) has lost all it's tabs - no Screensaver Tab or any of the other tab that are normally here.  I have no firm idea of when I lost it - I know for certain I had it in the fall of 2010 - I went to change my Wallpaper picture this October and the tabs were gone.

[1972vet]

Attached is the prior ComboFix log...It was run by a computer tech I hired because of problems that poped up in April of this year.  As a result of this incident, the tech removed McAfee and installed Microsoft Security Essentials

OK, I did say that if you didn't install ERUNT, then you can disregard the request for the older cf logs. I would also point out, the "computer tech" you hired did NOT remove your McAfee product. Not entirely that is. Much of your "slow performance" is due to the disaster that McAfee left behind. You have remnants of it's security drivers and services still running and wrestling with your Microsoft Security Essentials.

Please be advised, as to anti-virus products, just one installed and running real time protection is all that is recommended. Of course, you seem to have known that but when the old anti-virus product was attempted to be removed, the pieces left behind should have stuck out like a sore thumb. I am quite amused that a "computer tech" for hire didn't recognize it while it was staring him/her right in the face. Perhaps the paycheck obscured the view...

The combofix script that I constructed for you will have removed all the left over McAfee pieces and you will have noticed a marked improvement...if you would have just run it as requested. Please do, and post back the resulting log. Thanks!

[mmi16]

Ran ComboFix with your scripts.

Now I can't get that box to communicate with the net or with my household network in talking to this lap top.

To run Combofix I turned the power off the the DSL modem, which is located next to my keyboard,  to cut off the Internet as well as turning off MSE from real time.  After the completion of Combofix - the Network connection is saying the 'cable is unpluged' and I never touched the network cable to the box.

I know I must sound like a real train wreck.  Sorry.

[1972vet]

May I see the combofix log please?

[mmi16]

May I see the combofix log please?

I cannot locate the 'snapshot log file for the run done on 11-13 - the only 'snapshot' log file in the Qoobox folder are from the 11-12 and earlier runs.   There are a copule of files dated 11-13

[1972vet]

I cannot locate the 'snapshot log file for the run done on 11-13 - ...

It would be located at the root of c:\ and named just combofix.txt. Please post that one. Thanks!

[mmi16]

Found it

[1972vet]

Thanks. I see no reason why that system cannot access the net nor any of your networked systems at home. Absolutely nothing relating to networking was removed from the combofix scan. Please be certain to do nothing with that system other than what is instructed here...if you have thus far, please let me know.

I'd still like to see a fresh DDS scan log. It's the same thing that you did in the "Dell" thread under Bugbatter's instruction. Let's do this again please. From your working machine, please download these to some removal media and transfer that to the affected machine:

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here. Next, please download all three of these free utilities these locations...
Here,
Here...and
Here.

Note - Some infections may prevent certain executable files from running on your computer. If one of these downloads results in a failed run of the utility, please try the next one until you find one that will work on your machine

Double click dds.scr to run the tool

• When it completes, DDS will open two (2) logs:
• DDS.txt
• Attach.txt
• Save both reports to your desktop.

Next, Download GMER from the following location and save it to your removable media as well.

GMER Download Link 1
GMER Download Link 2 (Only use if the previous link does not work)

• Right-click on the gmer.zip icon and select the Extract all... menu option. You should now see the gmer folder.
  
• Open the folder and double-click on the gmer.exe icon. Please "ok" any prompts to allow the program to start.
• You should now see the main GMER window. If you receive a warning about rootkit activity asking if you want to run a full scan, please click on the NO button.
  
• We now need to configure GMER to prevent some features from being used during the scan. Please uncheck the following settings (we do NOT want to see these in our scan):
  • IAT/EAT
  • Drives/Partition other than Systemdrive,[/b]  which is typically C:\
    
  • Show All <<Important. Don't miss this one
    
• Now that you have removed the check marks from the boxes for those items listed above, please click the Scan button.
  This scan may take quite some time, so please be patient. When it has finished, you will be back at the main screen.
  
  
• Please click on the Save... button and save the report to your desktop. Please name the saved file ark.txt
  
  
• Please do not act on any of the information in this report. Many legitimate programs could be listed there.
• Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.

Please remember to include the following logs in your next reply.

• DDS.txt
  
• Attach.txt
  
• ARK.txt
  

[mmi16]

Thanks. I see no reason why that system cannot access the net nor any of your networked systems at home. Absolutely nothing relating to networking was removed from the combofix scan. Please be certain to do nothing with that system other than what is instructed here...if you have thus far, please let me know.

I'd still like to see a fresh DDS scan log. It's the same thing that you did in the "Dell" thread under Bugbatter's instruction. Let's do this again please. From your working machine, please download these to some removal media and transfer that to the affected machine:

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here. Next, please download all three of these free utilities these locations...
Here,
Here...and
Here.

The last link gave me a 404 error.