justscrapenby Posted May 21, 2012 ID:553290 Share Posted May 21, 2012 I'm really stumped on this one! When it became apparent that I had a virus/malware, I ran my usual scans; Malwarebytes, Norton Anti-virus, Adaware and showed zero infections. It appears that something is periodically running in the background as indicated by the circle next to the curser and confirmed by Task Manager and Resorce Monitor. The computer runs sluggish at times and the curser will freeze up. Then it "breaks loose" and everything runs normal. Please help! Thanks!DDS.txtAttach.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 21, 2012 ID:553315 Share Posted May 21, 2012 Welcome to the forumPlease go to your control panels add/remove programs and uninstall these:Blekko search barI Want This------------------------------Then.......Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system (don't run any other options, they're not all bad!)Post back the report.MrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 21, 2012 Author ID:553468 Share Posted May 21, 2012 Thanks for the quick reply! I followed your instructions and attached the Rogue Killer report. I somehow missed those 2 programs or they were installed after the last time I had checked. Either way, great heads up!RKreport1.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 21, 2012 ID:553470 Share Posted May 21, 2012 OK, run RogueKiller again and click ScanWhen the scan completes > click on the Registry tabPut a check next to all of these and uncheck the rest:¤¤¤ Registry Entries: 5 ¤¤¤[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[HIDDEN VAL] HKLM\[...]\Run : @ () -> FOUNDNow click Delete on the right hand column.---------------------------------------------Please download OTL from one of the links below:http://oldtimer.geekstogo.com/OTL.exehttp://oldtimer.geekstogo.com/OTL.com (<---renamed version)Save it to your desktop.Double click on the icon on your desktop.Click the Scan All Users checkbox.Push the Quick Scan button.The scan will take about 10 minutes...depends on your hard drive size.Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedMrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 22, 2012 Author ID:553477 Share Posted May 22, 2012 Ran OTL, but when it was scanning Chrome settings, a pop up said "List index is out of bounds (845)." OTL then froze up.I attached a screen shot. Link to post Share on other sites More sharing options...
MrCharlie Posted May 22, 2012 ID:553481 Share Posted May 22, 2012 Do this instead......Please make sure system restore is running and create a new restore point before continuing.XP <===> Vista & W7XP users > please back up the registry using ERUNT.-----------------------------------------Please download and run TDSSKiller to your desktop as outlined below:Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.-------------------------Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.------------------------Click the Start Scan button.-----------------------If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueAny entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.----------------------If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.--------------------A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.-------------------Here's a summary of what to do if you would like to print it out:If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueAny entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.MrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 22, 2012 Author ID:553490 Share Posted May 22, 2012 Here are the results of the TDSSKiller scanTDSSKiller.2.7.36.0_21.05.2012_21.58.09_log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 22, 2012 ID:553552 Share Posted May 22, 2012 OK, that scan was clean.....Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingc...to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Please include the C:\ComboFix.txt in your next reply for further review.---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 22, 2012 Author ID:553577 Share Posted May 22, 2012 Here's the ComboFix log. It locked up on stage 4. Found a Norton scanner that wasn't disabled. Re-ran and was successful.ComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 22, 2012 ID:553652 Share Posted May 22, 2012 Do you know what these folders are from??c:\windows\system32\ca-ESc:\windows\system32\eu-ESc:\windows\system32\vi-VN1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the quotebox below into it:4. If ComboFix wants to update.....please allow it to.Folder::c:\program files\blekkotb_socc:\programdata\blekko toolbarsDDS::uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=86adbc52&toolbarid=blekkotb_soc&u=20120519BB5D48759368802DD7F87761&tbp=homepageSave this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeCAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.After reboot, (in case it asks to reboot)......Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.MrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 22, 2012 Author ID:553700 Share Posted May 22, 2012 No idea what those files were. But it looks like they were removed. Here is the 2nd ComboFix log.ComboFix2.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 22, 2012 ID:553716 Share Posted May 22, 2012 One more scan and we'll see how it is.....Next, please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.http://www.eset.eu/online-scannerTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick Advanced settings and select the following:Scan potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth technologyClick StartWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicMrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 23, 2012 Author ID:553852 Share Posted May 23, 2012 Here is the ESET scan log.log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2012 ID:553929 Share Posted May 23, 2012 Did the scan find anything, that log doesn't tell me much, MrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 23, 2012 Author ID:553938 Share Posted May 23, 2012 No it didn't. but it said more than the log file. I ran it twice because I couldn't even find the log file from the 1st scan. I will run it again just to make sure. I've attached a screen shot of the last finished scan. Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2012 ID:553943 Share Posted May 23, 2012 OK, let me know.....MrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 23, 2012 Author ID:554010 Share Posted May 23, 2012 I ran ESET again. No infected files and the log.txt file was exactly like the other one. Norton Security suite and Bit Defender were turned off. Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2012 ID:554028 Share Posted May 23, 2012 OK......Please Update and run a Quick Scan with MBAM, post the report.Make sure that everything is checked, and click Remove Selected.Please let me know how it is, MrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 23, 2012 Author ID:554035 Share Posted May 23, 2012 Updated and ran MlawareBytes. The reults are attached.mbam-log-2012-05-23 (12-20-06).txt Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2012 ID:554037 Share Posted May 23, 2012 Clean...How's the computer running now??? MrC Link to post Share on other sites More sharing options...
justscrapenby Posted May 23, 2012 Author ID:554101 Share Posted May 23, 2012 Seems to be working great! No pop-ups, redirects and no curser freezeups! Thankyou sir! Link to post Share on other sites More sharing options...
MrCharlie Posted May 23, 2012 ID:554105 Share Posted May 23, 2012 Good Please Uninstall ComboFix:Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point---------------------------------Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)Any other programs or logs you can manually delete.-------------------------------You have out date Java on the system, older versions are vulnerable to malware.Please go to your control panels add/remove programs and uninstall these:Java Auto UpdaterJava™ 6 Update 32Java™ SE Runtime Environment 6Then download and install the latest version Java™ 7 Update 4.http://www.java.com/...load/manual.jsp <---latest versionhttp://www.java.com/...d/installed.jsp <---verify your Java-----------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2012 ID:554290 Share Posted May 24, 2012 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts