ESET online scanner found some trojans... worried that more may be hidden.

>>  I've run malwarebytes recently and it found nothing.

Run Malwarebytes again.  You haven't used it since the ESET scanner so now use it again.

Also use Adwcleaner  http://www.bleepingcomputer.com/download/adwcleaner/ as well.

If you aren't using Windows 10 also try Combofix  http://www.bleepingcomputer.com/download/combofix/

Use CCleaner (free version) https://www.piriform.com/ccleaner/download to clean up your system.

Check your Firefox extensions.  Do you need all of them?  Do you know how reputable they are?

Thanks dbrunton. OK I ran Malwarebytes again last night, it found nothing. Then I ran Adwcleaner. It found a few things, none I don't think were too serious. Here was the output:

# AdwCleaner v6.020 - Logfile created 27/09/2016 at 05:22:05
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-27.1 [Server]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : JD - IBM-CA399E2B0C9
# Running from : C:\Documents and Settings\JD\My Documents\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Documents and Settings\All Users\Start Menu\Programs\Codec
[-] Folder deleted: C:\Documents and Settings\JD\Local Settings\Application Data\Geckofx


***** [ Files ] *****

[-] File deleted: C:\user.js


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\SlimBrowserHtml
[-] Key deleted: HKLM\SOFTWARE\Classes\vbalTBar.cToolbar
[-] Key deleted: HKLM\SOFTWARE\Classes\vbalTBar.cToolbarHost
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7854F00C-DC77-477E-A10E-603F48442D3B}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
[-] Key deleted: HKU\S-1-5-21-1455450049-4218601970-2604882262-1005\Software\ProgSense
[-] Key deleted: HKU\S-1-5-21-1455450049-4218601970-2604882262-1005\Software\AppDataLow\Software\adawarebp
[#] Key deleted on reboot: HKCU\Software\ProgSense
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\adawarebp
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Companion Plugin
[#] Key deleted on reboot: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\coupon companion plugin


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2062 Bytes] - [27/09/2016 05:22:05]
C:\AdwCleaner\AdwCleaner[S0].txt - [2255 Bytes] - [27/09/2016 05:18:23]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2208 Bytes] ##########

Select allOpen in new window

Then I tried Combofix (my laptop has XP Professional)... I ran into some snags here and it did not complete its run.  I use a free firewall called "PrivateFirewall 7.0". When I install new software, it always pops up little windows asking to accept/decline this or that.. it's normal. During the installation of Combofix it asked for confirmation of what must have been 40 or 50 EXE's - I don't know if this is normal or not. Then later in the installation, it popped up a window saying that I needed to have "Microsoft Recovery Console" installed (and I didn't), so it offered to install it for me. It popped up another window asking if I had "Windows XP Home version", to which I clicked NO, as I have XP Pro. Then the Combofix window displayed that it was setting a system restore point, and and it never got much further than that. After about 20 minutes of nothing, no disk activity or anything, I just moved my mouse and tapped a key on my keyboard and found that everything was frozen - no response... so I rebooted. That's where things stand right now.

Also, I did a complete fresh re-install of Firefox a week or so ago... so there are no extensions or anything. I will try another browser "refresh" right now as well.

Thanks
   Shawn

Possibly clashed with Private Firewall.  Private Firewall is good.  Leave Combofix alone then.

Leave things as they are for a couple of weeks and then run Adwcleaner, Mbam and Eset again in that order.  If nothing else shows after that time you are probably good.

well, thanks, but I don't know how comfortable with just the "wait and see" approach. Wait until more I get charged with more bogus purchases or have my system wiped out? I'm afraid my browser might bes omehow hijacked because every now and then while I'm browsing, I get the hourglass cursor and everything just freezes up for maybe 20 seconds or so. Other times, I'll be typing something into the browser, and the characters appear only one by one very slowly on the screen... like something could be logging them. I did a full uninstall and re-download and installed Firefox a couple of weeks ago and it seemed to work better for a while, then kinda went to hell again. Maybe I should do that again since I've ran ESET and Adwcleaner...?

Thanks
    Shawn

Thanks dbrunton, good advice. You wrote:


Won't hurt to remove and reinstall Firefox.

>> Have completely uninstalled and will no longer be using.

If you want security use Google Chrome for online banking and purchases.  Don't save passwords in the browser.  Use a password manager.  I recommend Keepass2.  You can backup the password file to a USB stick or the Internet.  Slightly more awkward that having the passwords saved in the browser.

>> I imported all my old Firefox bookmarks into Chrome and will be using it exclusively now. Only thing is - it says it is no longer supported and no more updates cause I'm still on Windows XP. Should this be a concern?

I presume you are surfing as a Restricted User rather than an Administrator?

>> I bought this machine 2nd hand from someone about 5 years ago... the "user" he had set up at that time was called "JD" and I just kept using that - I don't know if I am "Administrator" or not. When I boot up it just goes right into the "JD" account with no need for passwords or anything.

Remove Java from your system and Flash as well.  If you need to see Flash documents use Chrome to do that.

>> OK, I will do so, thanks.

Remove Adobe Acrobat from your system and use PDF viewer (free version).

>> I don't have Acrobat, I use Foxit PDF reader. I do have Adobe AIR though... I don't even know what that does really. Should I get rid of it?

Run the Kapersky Root Kit killer http://usa.kaspersky.com/downloads/TDSSKiller over your system as well.

>> Will do... thanks!


I'll let you know how all this goes....

Thanks
   Shawn

Remove Java altogether as well? Don't I need this for a lot of things?

Thanks
   Shawn

dbrunton, I already went ahead and ran the Kaspersky Rootkit utility. I set every option in the utility "on" - including to scan for unsigned certificates. I attached screenshots of the results it gave. It found 11 "threats" - all of which to be of the "unsigned file" variety. I just wanted to run these by you before I delete/skip them. You'll see some that say "Shock" something something - this IBM laptop has some kind of "anti-shock" system utility built-in for whenever the laptop is ever abruptly physically moved. So I guess those files are okay... the others, I'm not so sure of.

Thanks!
   Shawn
kaspersky1.jpg
kaspersky2.jpg

I think most of them are OK.  I'll check them out in the next 24 hours.  For example vtserver appears to be fingerprint software for the ThinkVantage or IBM.

Thank you Sir.

Shawn

AegisP  See http://www.bleepingcomputer.com/startups/AegisP.sys-27398.html for more information and if that seems correct to you it should be OK.

IBMTPCHK  See http://www.bleepingcomputer.com/startups/IBMBLDID.SYS-23443.html for more information

PMEM  Can't find anything about this one.

QCNDISIF  See http://www.runscanner.net/lib/qcndisif.sys.html for more information.

Shockmgr  See http://www.bleepingcomputer.com/startups/ShockMgr.sys-24161.html for more information.

Shockprf  See http://www.bleepingcomputer.com/startups/Shockprf.sys-24154.html for more information.

ShmiHlp  See http://www.bleepingcomputer.com/startups/SMI_helper_driver-24164.html for more information.

ssrtln  Most likely a driver from Sonic Solutions for writing to CDs or DVDs.  Can't get a good confirmation on this.

TPDiskPM  See http://www.bleepingcomputer.com/startups/TPDiskPM.sys-24155.html for more information on this.

vtserver  See http://www.file.net/process/vtserver.exe.html for more information.  Check this file location in your machine as against what is in the link here but I suspect it is safe and for fingerprint logins.

WmcCds  See http://www.file.net/process/wmccds.exe.html  Possibly but not necessarily for XBox.  Check file size and location in your machine as against what is shown in the link here.

OK, I've been through your list and can't find anything about a file called PMEM.  Can you find this on your system and what folder it is in?  Also ssrtln, can you do the same as well?

Thanks for that. Mostly all these files look okay and are part of IBM thinkpad system stuff. PMEM seems okay according to this:

http://www.paraesthesia.com/archive/2005/06/30/pmem-service-failure.aspx/

The only one that I'm wondering about is WmcCds - I scanned my whole C drive and could not find a file by that name, so I'm going to quarantine it. If it's for Xbox or something like that, which I don't use, then I don't need it.


Going back a couple of messages I had asked the following things.. could you give me your thoughts on them please?

>> I imported all my old Firefox bookmarks into Chrome and will be using it exclusively now. Only thing is - it says it is no longer supported and no more updates cause I'm still on Windows XP. Should this be a concern?

>> I bought this machine 2nd hand from someone about 5 years ago... the "user" he had set up at that time was called "JD" and I just kept using that - I don't know if I am "Administrator" or not. When I boot up it just goes right into the "JD" account with no need for passwords or anything.

>> I don't have Acrobat, I use Foxit PDF reader. I do have Adobe AIR though... I don't even know what that does really. Should I get rid of it?

>> Remove Java altogether as well? Don't I need this for a lot of things?


Thanks!
    Shawn

Foxit is OK.

Adobe AIR, keep it, unless you have install media and serial number for it

Java.  Unless you have specific applications that use it and you have a need for or Internet sites that need it get rid of it.  Not recommended for use on Internet as a good way to get into a computer.  Check what version you have and note it somewhere.  Then uninstall Java.  If some application doesn't work you know what version of Java to download for it.

Chrome is no longer supported on XP and Firefox is going that way as well.  So you are sort of stuck there ...

Go to Control Panel and follow the tutorial here http://www.free-computer-tutorials.net/windows-xp-tutorials-controlpanel.html to see what account yours is and how to add new accounts.  If you account is an Administrator one then create a new one and make it a Limited User.  You don't need a .NET passport.  Reboot as a Limited User and see how it works.  You'll probably have to switch back and forth between the two accounts to copy all of your data across.  But you'll surf much safer using a Limited User account.

Don't quarantine WmcCds.  Just move it aside to another folder taking note of where you got it from.  If multimedia doesn't work then put it back.  I suspect it isn't harmful.

dbrunton, regarding CCleaner (I haven't run it yet)... there's something about it that makes me uneasy - it seems kind of vague about what it is set up. See the attached screenshot... under the "Applications" tab it had all these applications checked bu default that I do use - does that mean it was going to delete them? I  certainly don't want that...

Thanks
   Shawn
ccleaner.JPG

Nope.

It's going to clean up all of the temporary files that those applications generate.  If you want to keep those files eg cookies from Internet browsing then untick the application concerned.  Only the temporary files it deletes and not actual data.

For example if you have Word documents it will keep those but if there are temp files generated by Word that are not actual data, it will delete those.

OK thanks, I will run CCleaner soon. Also last night I ran "HitmanPro". It found a lot of harmless tracking cookies which I deleted, but it also found these two files it said were "Suspicious":

c:\windows\PEV.exe
c:\windows\system32\stdvcl32.dll

Would you have any thoughts on those please?

Thanks
    Shawn

PEV.exe is probably part of Combofix.  Check the date, it should be within the last week when you tried to run it.

Also see http://slickdeals.net/f/1444479-solved-mysterious-file-pev-exe-component-of-combofix

The second is a standard Delphi file installed by some application.

PEV.exe is probably part of Combofix.  Check the date, it should be within the last week when you tried to run it.
Also see http://slickdeals.net/f/1444479-solved-mysterious-file-pev-exe-component-of-combofix

>> Creation date last week - Sept 27. About that ComboFix - I can't find anywhere to uninstall it off my system. Not in the Add/Remove Programs. There is a C:\Combofix folder when I browse my directories in Windows Explorer, but take a look at the screenshot attached... the contents of that ComboFix folder seem to be all my *other* folders on my hard drive! Is that normal??


The second is a standard Delphi file installed by some application.

>> OK, no problem, that's fine.
combofix.JPG

How to remove the Combofix folder  http://www.bleepingcomputer.com/forums/t/370415/am-i-in-danger-combofix-folder-now-on-c-drive/

Sorry for the absence there... got sidetracked on some other matters. OK, picking up where we left off - things seem to be pretty good. Did the full uninstall for Combofix as per your suggested site and that worked fine. Computer seems to be running fine, just a couple of final lingering questions please:


>>Don't quarantine WmcCds.  Just move it aside to another folder taking note of where you got it from.  If multimedia doesn't work then put it back.  I suspect it isn't harmful.

This was from the Kaspersky Rootkit run. It found this "suspicious" file, but when I searched my hard drive for it, I couldn't even find it, so I wound up quarantining it. Doesn't so doesn't seem to have caused any problems.

>>Go to Control Panel and follow the tutorial here http://www.free-computer-tutorials.net/windows-xp-tutorials-controlpanel.html to see what account yours is and how to add new accounts.  If you account is an Administrator one then create a new one and make it a Limited User.  You don't need a .NET passport.  Reboot as a Limited User and see how it works.  You'll probably have to switch back and forth between the two accounts to copy all of your data across.  But you'll surf much safer using a Limited User account.

Well truth is, I don't even know if this existing "JD" account I use is even an Administrator account - I'm thinking it is cause there's never seemed to be any restrictions on this computer. I'm not sure though. I'm hesitant to create another "Limited" type account cause I do have lots of stuff (programs, 3rd party components, data, etc... I'm a Delphi programmer), that I would have to copy over, and that sounds like it could be a real rats nest of problems.

Thanks!
     Shawn

>>  I'm hesitant to create another "Limited" type account

Create two more Administrator accounts and give them passwords.  Check they work OK by logging in and out of them.  Then using one of the Administrator accounts turn the JD account into a Limited account.

Test the JD account and see if you can do all of your work.  If you can then you are all set to go.  If it doesn't work then use the other Administrator account to turn the JD back to Administrator.

Thanks db, I will try that. I guess I am alright now... but just a couple of last questions please:

- should I try and run Combofix again... this time first disabling my Private Firewall?
- Chrome works okay for the most part, but I sometimes find it painfully slow to load some pages (big pages with videos, ads, etc... even facebook sometimes). Would Opera browser be a viable option instead?

Thanks!
   Shawn

Leave Combofix out of it at present, unless something else pops up.

Now as for your Thinkpad, how much memory does it have and what is the processor?  Chrome is a bit of a memory hog and if you run with a number of Tabs open you can easily chew up memory.  If you've got addins then they too can slow the browser down.

If you run AdBlock for Chrome then that will cut down on the number of ads you get presented with.

Leave Combofix out of it at present, unless something else pops up.

>> OK

Now as for your Thinkpad, how much memory does it have and what is the processor?  

>> 2 GHZ processor and 1 gig of RAM running XP Pro. She's a bit of an oldie.

Chrome is a bit of a memory hog and if you run with a number of Tabs open you can easily chew up memory.  If you've got addins then they too can slow the browser down.


>> Yeah I've noticed this. No, no addins... just Chrome straight out of the box.


If you run AdBlock for Chrome then that will cut down on the number of ads you get presented with.

>> OK, I might do that. That's a Chrome plugin, I take it?

I've been trying Opera browser for the last few days... it's not bad but something that is really annoying is when I open a new type, punch in a URL and it just sits there with "Speeddial" showing in the browser tab for like 30 seconds before it finally brings up the site. "Speeddial" alright!! is that normal for Opera... or is something mis-configured I wonder?

Thanks
   Shawn

Possibly too many entries in Speed Dial.  I'm not familiar with Opera.

AdBlock for Chrome is an addin.  https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom

You've got 1 Gb of memory.  If possible add more.  Windows XP will thank you.  Don't know which model of Thinkpad it is but if you can max it up to 4 Gb.  If it is a single core see if a dual core processor exists.

my old laptop can take 2 gigs... I might get some more if it's cheap enough. OK db, I have taken enough of your time - thank you so much for the top-notch help!

Cheers
   Shawn

Excellent!