Jump to content


Photo
- - - - -

STUMPED!


  • This topic is locked This topic is locked
22 replies to this topic

#1 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 21 May 2012 - 09:52 AM

I'm really stumped on this one! When it became apparent that I had a virus/malware, I ran my usual scans; Malwarebytes, Norton Anti-virus, Adaware and showed zero infections. It appears that something is periodically running in the background as indicated by the circle next to the curser and confirmed by Task Manager and Resorce Monitor. The computer runs sluggish at times and the curser will freeze up. Then it "breaks loose" and everything runs normal. Please help! Thanks!

Attached Files



#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 21 May 2012 - 11:24 AM

Welcome to the forum

Please go to your control panels add/remove programs and uninstall these:

Blekko search bar

I Want This


------------------------------

Then.......


Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system (don't run any other options, they're not all bad!)
Post back the report.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 21 May 2012 - 06:49 PM

Thanks for the quick reply! I followed your instructions and attached the Rogue Killer report. I somehow missed those 2 programs or they were installed after the last time I had checked. Either way, great heads up!

Attached Files



#4 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 21 May 2012 - 06:59 PM

OK, run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest:

¤¤¤ Registry Entries: 5 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HIDDEN VAL] HKLM\[...]\Run : @ () -> FOUND



Now click Delete on the right hand column.

---------------------------------------------


Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.
Double click on the icon on your desktop.
Click the Scan All Users checkbox.
Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 21 May 2012 - 07:43 PM

Ran OTL, but when it was scanning Chrome settings, a pop up said "List index is out of bounds (845)." OTL then froze up.
I attached a screen shot.

Attached Files



#6 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 21 May 2012 - 08:20 PM

Do this instead......

Please make sure system restore is running and create a new restore point before continuing.
XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Posted Image

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

Posted Image

------------------------

Click the Start Scan button.

Posted Image

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

Posted Image

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Posted Image


--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:


If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 21 May 2012 - 10:09 PM

Here are the results of the TDSSKiller scan

Attached Files



#8 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 22 May 2012 - 06:51 AM

OK, that scan was clean.....

Please download and run ComboFix.
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#9 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 22 May 2012 - 08:43 AM

Here's the ComboFix log. It locked up on stage 4. Found a Norton scanner that wasn't disabled. Re-ran and was successful.

Attached Files



#10 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 22 May 2012 - 12:29 PM

Do you know what these folders are from??
c:\windows\system32\ca-ES
c:\windows\system32\eu-ES
c:\windows\system32\vi-VN

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
4. If ComboFix wants to update.....please allow it to.

Folder::
c:\program files\blekkotb_soc
c:\programdata\blekko toolbars
DDS::
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=86adbc52&toolbarid=blekkotb_soc&u=20120519BB5D48759368802DD7F87761&tbp=homepage


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......
Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#11 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 22 May 2012 - 01:49 PM

No idea what those files were. But it looks like they were removed. Here is the 2nd ComboFix log.

Attached Files



#12 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 22 May 2012 - 02:22 PM

One more scan and we'll see how it is.....

Next, please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
http://www.eset.eu/online-scanner
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#13 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 22 May 2012 - 09:14 PM

Here is the ESET scan log.

Attached Files

  • Attached File  log.txt   76bytes   5 downloads


#14 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 23 May 2012 - 07:15 AM

Did the scan find anything, that log doesn't tell me much, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#15 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 23 May 2012 - 07:56 AM

No it didn't. but it said more than the log file. I ran it twice because I couldn't even find the log file from the 1st scan. I will run it again just to make sure. I've attached a screen shot of the last finished scan.

Attached Files



#16 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 23 May 2012 - 08:29 AM

OK, let me know.....MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#17 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 23 May 2012 - 10:59 AM

I ran ESET again. No infected files and the log.txt file was exactly like the other one. Norton Security suite and Bit Defender were turned off.

#18 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 23 May 2012 - 11:48 AM

OK......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how it is, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#19 justscrapenby

justscrapenby

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Kansas City area
  • Interests:Computers

Posted 23 May 2012 - 12:28 PM

Updated and ran MlawareBytes. The reults are attached.

Attached Files



#20 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,137 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 23 May 2012 - 12:32 PM

Clean...How's the computer running now??? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users