Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer locked up and now runs really slow


  • This topic is locked This topic is locked
18 replies to this topic

#1 mistergreen

mistergreen

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:17 PM

Posted 06 March 2009 - 08:08 PM

Even from Safe Mode, I can't run Anti-Malware. Another thing that is wierd is that my Internet Explorer is acting strange. I went to Google something and the text size is larger than usual. Then, every link I click on takes me to some ad. I Googled Bleepingcomputer and it wouldn't let me select the link.

I have a Dell Inspiron B130 running Windows XP Home. I have Trend Micro PC-cillin currently runniing a scan...
The problem with reality is the lack of background music

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,104 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:17 PM

Posted 06 March 2009 - 08:19 PM

Please try a couple of these free online scanners to see if anything has slipped by your protection:
(Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully)

http://www.pandasecurity.com/homeusers/solutions/activescan/
http://us.mcafee.com/root/mfs/default.asp
http://housecall.trendmicro.com
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml
http://onlinescan.avast.com/
http://ca.com/us/securityadvisor/virusinfo/scan.aspx
http://www.eset.com/onlinescan/

http://www.kaspersky.com/virusscanner Scan Only - no removal


If you find that you're infected (or the scan doesn't complete or closes unexpectedly), post in the Am I Infected forum located here: http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

Louis

#3 mistergreen

mistergreen
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:17 PM

Posted 06 March 2009 - 08:33 PM

Please try a couple of these free online scanners to see if anything has slipped by your protection:
(Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully)

http://www.pandasecurity.com/homeusers/solutions/activescan/
http://us.mcafee.com/root/mfs/default.asp
http://housecall.trendmicro.com
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml
http://onlinescan.avast.com/
http://ca.com/us/securityadvisor/virusinfo/scan.aspx
http://www.eset.com/onlinescan/

http://www.kaspersky.com/virusscanner Scan Only - no removal


If you find that you're infected (or the scan doesn't complete or closes unexpectedly), post in the Am I Infected forum located here: http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/




Louis



Thanks Louis. I'll let you know what I find.

George

Edited by mistergreen, 06 March 2009 - 08:34 PM.

The problem with reality is the lack of background music

#4 mistergreen

mistergreen
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:17 PM

Posted 06 March 2009 - 09:27 PM

Okay Louis,
PC-cillin found nothing. I was able to run Malwarebyte's Anti-malware by renaming the exe file. It looks like I had a Rootkit.TDSS. Shall I post my MBAM log?

Thanks,
George

Edited by mistergreen, 06 March 2009 - 09:27 PM.

The problem with reality is the lack of background music

#5 OldGrumpyBastard

OldGrumpyBastard

  • Members
  • 781 posts
  • OFFLINE
  •  
  • Location:"Way South of 'da Bridge"
  • Local time:04:17 PM

Posted 07 March 2009 - 06:37 AM

IMHO,

If MBAM deteced Rootkit.TDSS, that may be the tip of the iceberg...I would immediately open up a topic in the "Am I Infected" forum for more expert help. I would also suggest that untill your computer is cleaned-up that you limit your use of the internet. These types of infections (Backdoor Trojans) and the like are extremely dangerous. Information is being stolen from you that you probably don't want to share. I most definately suggest that you don't do any online banking or make any purchases online.

Please don't post any logs in this topic...They will be ignored or your topic will be moved or closed...You can post the logs in the "Am I Infected" forum but not here...

IF MBAM was able to clean this up GREAT but I would suggest a little deeper look into things...THIS IS NOT SOMETHING THAT YOU WANT TO MESS AROUND WITH

Edited by OldGrumpyBastard, 07 March 2009 - 06:39 AM.

Does this look like an OldGrumpyBastard or what?

#6 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:03:17 PM

Posted 07 March 2009 - 10:02 AM

No need to start a new topic.
I'll move this one to the Am I infected? What do I do? forum.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:17 PM

Posted 07 March 2009 - 11:06 AM

Shall I post my MBAM log?


Please do, we can start from there
Chewy

No. Try not. Do... or do not. There is no try.

#8 mistergreen

mistergreen
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:17 PM

Posted 08 March 2009 - 01:15 PM

Here is my first scan Chewy:

Malwarebytes' Anti-Malware 1.34
Database version: 1822
Windows 5.1.2600 Service Pack 3

3/6/2009 9:09:14 PM
mbam-log-2009-03-06 (21-09-14).txt

Scan type: Quick Scan
Objects scanned: 67813
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\UACqfjqjxpn.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACqsciwipw.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACrueddmbu.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACvrvmlxwp.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACjovrdqpq.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\User\Local Settings\Temp\UACb68d.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACc956.tmp (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACacpwypde.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UAChyubrxfm.dat (Trojan.Agent) -> Delete on reboot.



After running this scan, MBAM cleaned the files. I then ran a full scan:

Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 3

3/6/2009 9:53:52 PM
mbam-log-2009-03-06 (21-53-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 126635
Time elapsed: 39 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by mistergreen, 08 March 2009 - 01:29 PM.

The problem with reality is the lack of background music

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:17 PM

Posted 08 March 2009 - 01:45 PM

There maybe another rootkit hiding from MBAM

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
I am kicking this upstairs

Edited by DaChew, 08 March 2009 - 01:45 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#10 mistergreen

mistergreen
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:17 PM

Posted 08 March 2009 - 03:38 PM

Here is the gmer log:

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-08 16:36:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8CF0F20] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\asyncmac.sys[NDIS.SYS!NdisMRegisterMiniport] [A814A100] \SystemRoot\System32\Drivers\tm_cfw.sys (Trend Micro Common Firewall Module 2.0/Trend Micro Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \FileSystem\Fastfat \Fat A7683D20

AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACjovrdqpq.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACjovrdqpq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACjovrdqpq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACrueddmbu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UAChyubrxfm.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACqsciwipw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACvrvmlxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACqfjqjxpn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACacpwypde.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UAChaskortv.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACilxlwwxg.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACjovrdqpq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACjovrdqpq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACrueddmbu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UAChyubrxfm.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACqsciwipw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACvrvmlxwp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACqfjqjxpn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACacpwypde.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UAChaskortv.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACilxlwwxg.log

---- EOF - GMER 1.0.15 ----
The problem with reality is the lack of background music

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:17 PM

Posted 08 March 2009 - 03:51 PM

IMHO,

If MBAM deteced Rootkit.TDSS, that may be the tip of the iceberg...I would immediately open up a topic in the "Am I Infected" forum for more expert help. I would also suggest that untill your computer is cleaned-up that you limit your use of the internet. These types of infections (Backdoor Trojans) and the like are extremely dangerous. Information is being stolen from you that you probably don't want to share. I most definately suggest that you don't do any online banking or make any purchases online.

Please don't post any logs in this topic...They will be ignored or your topic will be moved or closed...You can post the logs in the "Am I Infected" forum but not here...

IF MBAM was able to clean this up GREAT but I would suggest a little deeper look into things...THIS IS NOT SOMETHING THAT YOU WANT TO MESS AROUND WITH



Good call

I am a little disappointed that SAS file was flagged but the UAC one was what I was looking for

This rootkit will require tools and training not available in this forum

Please read the prepartions for the HJT forum

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Chewy

No. Try not. Do... or do not. There is no try.

#12 mistergreen

mistergreen
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:17 PM

Posted 08 March 2009 - 04:12 PM

Thanks for your help Chewy. Is there anything particular I should include in the title of my new topic?
The problem with reality is the lack of background music

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:17 PM

Posted 08 March 2009 - 04:46 PM

UACrootkit and include a link to this tread
Chewy

No. Try not. Do... or do not. There is no try.

#14 mistergreen

mistergreen
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:17 PM

Posted 08 March 2009 - 04:54 PM

UACrootkit and include a link to this tread


Will do, thanks.
The problem with reality is the lack of background music

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 09 March 2009 - 07:18 AM

IMPORTANT NOTE: One or more of the identified infections was related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please follow the Prep Guide as DaChew instructed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users