Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

slow computer/videos


  • Please log in to reply
30 replies to this topic

#16 nasdaq

nasdaq

  • Malware Response Team
  • 20,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:22 AM

Posted 01 June 2013 - 12:29 PM

We may not be looking for an infection just right now.

Some Policies may have been corrupted in this computer and we must find out.

If these additional computers are connected/using the same router just may be the router has been compromised.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html

BC AdBot (Login to Remove)

 


#17 leejones

leejones
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 01 June 2013 - 01:02 PM

here is the farbar log:

 

-----------------------------

 

Farbar Service Scanner Version: 31-05-2013 01
Ran by Suzy (administrator) on 01-06-2013 at 12:50:17
Running from "C:\Documents and Settings\Suzy\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0E00000005000000010000000200000003000000040000000F0000000E0000000D0000000C000000080000000B000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

 

---------------------------------

 

did not select other services

 

 



#18 nasdaq

nasdaq

  • Malware Response Team
  • 20,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:22 AM

Posted 01 June 2013 - 01:38 PM

All is well with that log.

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#19 leejones

leejones
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 01 June 2013 - 03:36 PM

this is what it found

 

C:\Documents and Settings\Suzy\Local Settings\Temp\HRyWXRtc.zip.part    Win32/Kryptik.BCHG trojan    deleted - quarantined
 

 

 

still acts the same maybe a little bit better on the videos

 



#20 nasdaq

nasdaq

  • Malware Response Team
  • 20,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:22 AM

Posted 02 June 2013 - 08:10 AM

I looked at the errors listed on the OTL log. McAfee had some problems on May 28.

It's may be a good thing to remove it completely and reinstall the application.

Download and run this tool.
McAfee's removal tool.
http://mcafee-removal-tool.com/

When completed restart the computer normally.

Reinstall the application.

Keep me posted

#21 leejones

leejones
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 03 June 2013 - 12:13 AM

i tried to reinstall mcafee and the cd\dvd-rom did not run it .... i had to go into my computer

i double clicked on mcafee in the (d) drive , then i clicked on the installer option

, try to run it from there, after it was checking to make sure everything was ok to install

 

a window pop up saying

 

mcafee integrated security platform installer has encountered a problem and

 needs to close

 

i looked at the error to post it here ,it said how to find it

 

but i did not find it

 

 

(i also tried reinstall in safemode but it did the same thing)

 

also i tried to run one old av software (just to see if it started up, it did not , 2 music cd's it did play but i had to go in to my computer to run it

 

 

im not sure what caused this because i have not used my cd/dvd drive in about a month

 

this has happen before but years ago

 

(forgot to add that i downloaded a file .... but im 60 percent sure that it's not that


Edited by leejones, 03 June 2013 - 12:36 AM.


#22 nasdaq

nasdaq

  • Malware Response Team
  • 20,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:22 AM

Posted 03 June 2013 - 07:41 AM

This may be outdated but provides advice on how to proceed.

https://community.mcafee.com/thread/33292

First make sure you have a newer version of Internet Explorer.

Before doing anything I would install the Microsoft Security Essentials, to that you have some protection.
http://windows.microsoft.com/en-CA/windows/security-essentials-download

If you still want to install McAfee then I suggest you contact them if the problem persists with their installation disk.

#23 leejones

leejones
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 03 June 2013 - 09:53 PM

i ran mcpreinstall and it showed

 

CPU (!)

 

Memory (Check)

 

Free drive space (Check)

 

and then i logged in to my account to try to install from there, same error came up

 

 

then i updated i.e to i.e 8 (could not update to 9)  and try to install mcafee

 

and it worked .... but still had to go to my computer to run it

 

i did a scan with mcafee and it found a  - trojan-

 

called - Artemis!588F8565DA37 - on desktop

 

it was combofix as the renamed - leejones.exe

 

then awhile latter a mcafee warning pop-up found the same thing again with the same name

 

Artemis!588F8565DA37

 

 

but it was called - A0019318.exe -

 

in  C:\System volume information\_Restore(D10615EF-9311-4FDD-BD12-7CCF9D1C5323)RP46

 

------------------------------------------

 

everything works the same + still cd/dvd drive only works if i go to my computer (no auto play/run)

 

----------------------------------

 

did not run microsoft security essentials

 

i will if you want me to

 



#24 nasdaq

nasdaq

  • Malware Response Team
  • 20,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:22 AM

Posted 04 June 2013 - 09:00 AM

What I suspect it that although ComboFix did not complete it's operation the autorun/autoplay feature may have been changed.


The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. It may also just execute an infection residing on the flash drive, thereby infecting your computer.

Insert a game cd or software cd, and Windows might automatically begin the installation setup.

Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transferred through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc. I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, I will send you via PM the information required to re-enable the autoplay feature should you decide to do so.


Let me know.

#25 leejones

leejones
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 04 June 2013 - 11:19 AM

yes please tell me how

 

i been trying to fix it (i would be fine leaving autoplay/run off)

 

but i want to make sure i can turn it back on (to make sure that it's not damage from a virus)



#26 nasdaq

nasdaq

  • Malware Response Team
  • 20,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:22 AM

Posted 04 June 2013 - 01:07 PM

See my Personal message.

Let me know how it is now,

#27 leejones

leejones
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 04 June 2013 - 02:59 PM

it worked thanks

 

if i delete fix.reg that will then disable it again ?

 

also is there any other programs to run to try to fix the other issue ?



#28 nasdaq

nasdaq

  • Malware Response Team
  • 20,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:22 AM

Posted 05 June 2013 - 07:41 AM

if i delete fix.reg that will then disable it again ?

No the registry settings were changed.

Microsoft is offering this protection for Windows XP
Update to the AutoPlay functionality in Windows
http://support.microsoft.com/kb/971029
===

Run the RogueKiller tool and fix this item if still listed.

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
===

Please boot to Safe mode with Internet Connectivity and run ComboFix. Can you get a log?

#29 leejones

leejones
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 06 June 2013 - 07:33 AM

i ran xp update and then after restarted my computer (just to be safe) and a problem

with the update (it disabled the keyboard but after searching found out that a just removing the

battery fixes it)

 

ran roguekiller only found:

 

HJPOL   HKCU   SOFTWARE\Microsoft\Windows\CurrentVe...   disableregis...   0

 

HJPOL   HKLM    SOFTWARE\Microsoft\Windows\CurrentVe...    DisableTas...    0

 

HJPOL    HKLM    SOFTWARE\Microsoft\Windows\CurrentVe...     DisableRegi... 0

 

HJ        HKLM      SOFTWARE\Microsoft\Security Center      AntiVirusDi...      1

 

HJ       HKLM       SOFTWARE\Microsoft\Security Center       FirewallDis...   1

 

 

did not delete anything

-----------------------------------------------------------

i reboot into safemode with networking, ran combofix (no mouse clicks)

 

samething happened

 

restarted then few hours later tried again in safemode but ran rkill then combofix ... samething

(reinstalled,renamed both programs in safemode)

 

few hours later again this time stopped some programs in task manager , right click run as

and unclicked

"Protect My Computer and data from unauthorized program activity (basically said may make programs work incorrectly if checked )

 

then once more last night (1:19am-6am) in safemode with networking but uninstalled

all java and flash programs the ran rkill, then combofix

 

and samething

 

on all of these attempts just stayed on:

 

scanning for infected files ...

this typically doesn't take more then 10 minutes

however, scan times for badly infected machines may easily double

 

----------------------------------------------------------

 

searching online i found this:

 

Combofix does not like bad file systems so trying running a disk check:
1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, then reboot.

 

Uninstall the anti-virus.

 

Open a Command Prompt

 

 

msconfig

Select Diagnostic Boot, reboot

Go back into Command prompt:

"%userprofile%\Desktop\combofix.exe" /killall

(Make sure you put a space before the /killall)

 

 

---------------------------------

 

did not try this

 

if you think it would work i will

 

 

 



#30 nasdaq

nasdaq

  • Malware Response Team
  • 20,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:22 AM

Posted 06 June 2013 - 09:17 AM

Run roguekiller and use the Delete option. The entries will either be deleted or updated. No worries.

===


Make sure the you did run the Check this program?
The command is CHKDSK this will check the integrity of your Hard Disk.

When done and after a restart, try "%userprofile%\Desktop\combofix.exe" /killall

It may be the solution.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users