Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The malware seems to be gone, but my internet's 1/10 the speed!


  • This topic is locked This topic is locked
20 replies to this topic

#1 Damo1234

Damo1234

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 13 July 2009 - 06:19 PM

Last Friday I got some malware and viruses off someone else's USB device.

I used superantispyware, which seemed to clear everything up...

Except I'm going much slower online. MUCH slower. My connection status window tells me I've got an excellent connection, and should be moving at 54Mbps.

I went to http://www.speedtest.net/ to test how fast I'm moving and it said I'm downloading 1Mbps. It feels slower than that though. A simple google search takes a couple minutes for all the links to show. If I try a google image search, things go so slow that half the images won't load. I'm going much slower than I should be. I'm going much slower than other computers using the same DSL.

I've tried superantispyware, spyware doctor, malwarebytes' Anti-Malware, a "Housecall" at http://housecall.trendmicro.com/. Everything says that I've got a clean bill of health now.

I've tried uninstalling and reinstalling my Firefox browser.

I tried a system restore to a few days ago.

Nothing seems to fix the problem, and it's getting in the way of my work at this point.

Help, please!

Edited by Damo1234, 13 July 2009 - 06:33 PM.


BC AdBot (Login to Remove)

 


#2 Moby Purple

Moby Purple

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Memphis, TN
  • Local time:02:20 PM

Posted 13 July 2009 - 07:33 PM

Is everything else slow or just Firefox? Right click on the Task Bar and select Task Manager. What is the CPU usage? If it is extremely high, say 50% or more, click on Show Processes from All Users. Click twice on the CPU header, and it will move the processes using the most resources to the top. See if you can determine what process(s) is the problem.

Also, what add-ons are you using with Firefox? You might try and disabling or removing the add-ons and see if that helps. If it does, you can add them back one at a time until you find the culprit.

#3 Damo1234

Damo1234
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 13 July 2009 - 08:32 PM

Is everything else slow or just Firefox?


I tried internet explorer, that seemed just as slow. Then I tried having a friend send me a file over AIM, and that seemed to move at a normal speed.

Right click on the Task Bar and select Task Manager. What is the CPU usage?



00-08%. Pretty low.


Also, what add-ons are you using with Firefox? You might try and disabling or removing the add-ons and see if that helps. If it does, you can add them back one at a time until you find the culprit.


Tried disabling all of them, no good.

#4 Moby Purple

Moby Purple

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Memphis, TN
  • Local time:02:20 PM

Posted 13 July 2009 - 09:47 PM

I was going to suggest emptying your browser cache, but you said IE was behaving the same way. It really sounds like spyware, but Malwarebytes and SuperAntiSpyware are the best and would have found something. If you had spyware and removed it, it is possible you have some corrupted files.

Have you checked with your ISP provider? I know you said there are other PC's using the same DSL, but it's possible the problem is something specific to your connection.

#5 Damo1234

Damo1234
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 14 July 2009 - 03:18 PM

Okay, some new info!

I checked Task Manager and I spotted iexplore.exe .

No internet explorer windows were open, but Task manager said the program's being opened by SYSTEM.

Whenever I close it, I go back to a good speed. But then iexplorer.exe starts up again a minute later and I'm back to moving at a snail's pace.

I can't get it to stay closed.

Thoughts?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:20 PM

Posted 14 July 2009 - 04:18 PM

I used superantispyware, which seemed to clear everything up...


You are still infected

But then iexplorer.exe starts up again a minute later and I'm back to moving at a snail's pace.



Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply

Also post that SAS log of the original infection and a new one done as specified below

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:20 PM

Posted 14 July 2009 - 09:24 PM

Topic reopened and HiJack This log deleted at member's request.

@ Damo1234,

Please follow the instructions DaChew gave you in the previous post.

~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 Damo1234

Damo1234
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 15 July 2009 - 11:58 PM

No change yet.

But then iexplorer.exe starts up again a minute later and I'm back to moving at a snail's pace.



Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply

Process PID CPU Description Company Name
System Idle Process 0 63.97
Interrupts n/a Hardware Interrupts
DPCs n/a 1.47 Deferred Procedure Calls
System 4 0.74
smss.exe 896 Windows NT Session Manager Microsoft Corporation
csrss.exe 952 Client Server Runtime Process Microsoft Corporation
winlogon.exe 976 Windows NT Logon Application Microsoft Corporation
services.exe 1020 0.76 Services and Controller app Microsoft Corporation
svchost.exe 1212 Generic Host Process for Win32 Services Microsoft Corporation
wmiprvse.exe 3652 WMI Microsoft Corporation
NMIndexStoreSvr.exe 5108 Nero Home Nero AG
BTSTAC~1.EXE 4212 Bluetooth Stack COM Server Broadcom Corporation.
iexplore.exe 6248 Internet Explorer Microsoft Corporation
iexplore.exe 6180 Internet Explorer Microsoft Corporation
svchost.exe 1284 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1324 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 3664 Windows Security Center Notification App Microsoft Corporation
svchost.exe 1448 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1460 1.52 Generic Host Process for Win32 Services Microsoft Corporation
CCSETMGR.EXE 1684 Symantec Settings Manager Service Symantec Corporation
CCEVTMGR.EXE 1956 Symantec Event Manager Service Symantec Corporation
CCPROXY.EXE 2044 Symantec Network Proxy Service Symantec Corporation
PIFSvc.exe 160 LiveUpdate Notice Service Symantec Corporation
SNDSrvc.exe 232 Network Driver Service Symantec Corporation
SPBBCSvc.exe 288 SPBBC Service Symantec Corporation
symlcsvc.exe 304
spoolsv.exe 768 Spooler SubSystem App Microsoft Corporation
msdtc.exe 1168 MS DTC console program Microsoft Corporation
AluSchedulerSvc.exe 1348 Automatic LiveUpdate Scheduler Service Symantec Corporation
mDNSResponder.exe 1376 Bonjour Service Apple Computer, Inc.
btwdins.exe 1408 Bluetooth Support Server Broadcom Corporation.
svchost.exe 1544 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1640 Generic Host Process for Win32 Services Microsoft Corporation
jqs.exe 1696 Java™ Quick Starter Service Sun Microsystems, Inc.
LSSrvc.exe 1812 Hewlett-Packard Company
MemeoBackgroundService.exe 2128 MemeoBackgroundService Memeo
svchost.exe 2280 Generic Host Process for Win32 Services Microsoft Corporation
NSCSRVCE.EXE 2292 Norton Security Console Norton Protection Center Service Symantec Corporation
svchost.exe 2328 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2436 Generic Host Process for Win32 Services Microsoft Corporation
ViewpointService.exe 2548 ViewMgr Viewpoint Corporation
VongoService.exe 2600 Vongo Download Manager Starz Entertainment Group LLC
mqsvc.exe 2632 Message Queuing Service Microsoft Corporation
hpqwmiex.exe 2664 hpqwmiex Module Hewlett-Packard Development Company, L.P.
wmpnetwk.exe 2868 Windows Media Player Network Sharing Service Microsoft Corporation
mqtgsvc.exe 3484 Windows NT MSMQ Trigger Service Microsoft Corporation
svchost.exe 3796 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 3804 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 3812 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2740 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 4636 Generic Host Process for Win32 Services Microsoft Corporation
NMIndexingService.exe 4732 Nero Home Nero AG
NAVAPSVC.EXE 2532 Norton AntiVirus Auto-Protect Service Symantec Corporation
svchost.exe 492 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 1040 LSA Shell (Export Version) Microsoft Corporation
taskmgr.exe 5908 Windows TaskManager Microsoft Corporation
explorer.exe 7236 Windows Explorer Microsoft Corporation
SUPERANTISPYWARE.EXE 7376 6.06 SUPERAntiSpyware Application SUPERAntiSpyware.com
HP Wireless Assistant.exe 2196 HP Wireless Assistant Module Hewlett-Packard Development Company, L.P.
jusched.exe 2464 Java™ Platform SE binary Sun Microsystems, Inc.
igfxtray.exe 2744 igfxTray Module Intel Corporation
hkcmd.exe 2808 hkcmd Module Intel Corporation
igfxpers.exe 2972 persistence Module Intel Corporation
CCAPP.EXE 3120 Symantec User Session Symantec Corporation
SynTPEnh.exe 3140 Synaptics TouchPad Enhancements Synaptics, Inc.
hpwuSchd2.exe 3348 Hewlett-Packard Product Assistant Hewlett-Packard Co.
issch.exe 3452 InstallShield Update Service Scheduler Macrovision Corporation
QLBCTRL.exe 3588 QLB Controller Hewlett-Packard Development Company, L.P.
GrooveMonitor.exe 4288 GrooveMonitor Utility Microsoft Corporation
aim.exe 4404 AOL Instant Messenger America Online, Inc.
NMBgMonitor.exe 4476 Nero Home Nero AG
ctfmon.exe 4516 CTF Loader Microsoft Corporation
wmpnscfg.exe 4632 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
TeaTimer.exe 4684 1.52 System settings protector Safer-Networking Ltd.
BTTray.exe 5256 Bluetooth Tray Application Broadcom Corporation.
hpqtra08.exe 5384 1.52 HP Digital Imaging Monitor Hewlett-Packard Co.
hpqste08.exe 5272 HP CUE Status Root Hewlett-Packard Co.
MemeoAutoSync.exe 5092 Memeo AutoSync Memeo Inc.
MemeoBackup.exe 5212 Memeo AutoBackup Client Memeo Inc.
hpqimzone.exe 4788 HP Photosmart Premier Hewlett-Packard Development Company, L.P.
firefox.exe 4400 3.03 Firefox Mozilla Corporation
WinRAR.exe 1916 WinRAR archiver Alexander Roshal
i_view32.exe 8016 IrfanView Irfan Skiljan
WinRAR.exe 7988 WinRAR archiver Alexander Roshal
i_view32.exe 6648 IrfanView Irfan Skiljan
i_view32.exe 6280 IrfanView Irfan Skiljan
i_view32.exe 1476 IrfanView Irfan Skiljan
WinRAR.exe 5568 WinRAR archiver Alexander Roshal
procexp.exe 4528 5.30 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
i_view32.exe 5120 IrfanView Irfan Skiljan
notepad.exe 6336 Notepad Microsoft Corporation
notepad.exe 7648 Notepad Microsoft Corporation
i_view32.exe 5768 IrfanView Irfan Skiljan
WINWORD.EXE 4284 Microsoft Office Word Microsoft Corporation
i_view32.exe 7504 IrfanView Irfan Skiljan
i_view32.exe 6936 IrfanView Irfan Skiljan
notepad.exe 7500 Notepad Microsoft Corporation





Also post that SAS log of the original infection and a new one done as specified below


New one

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2009 at 07:28 PM

Application Version : 4.26.1006

Core Rules Database Version : 3988
Trace Rules Database Version: 1928

Scan type : Complete Scan
Total Scan Time : 02:29:35

Memory items scanned : 274
Memory threats detected : 0
Registry items scanned : 8250
Registry threats detected : 2
File items scanned : 210617
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\test\Cookies\test@questionmarket[2].txt
C:\Documents and Settings\test\Cookies\test@revsci[1].txt
C:\Documents and Settings\test\Cookies\test@advertising[2].txt
C:\Documents and Settings\test\Cookies\test@atdmt[2].txt
C:\Documents and Settings\test\Cookies\test@insightexpressai[1].txt
C:\Documents and Settings\test\Cookies\test@realmedia[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.bridgetrack[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bs.serving-sys[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnportal.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[2].txt

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg


____________________



Old ones

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/12/2009 at 01:54 AM

Application Version : 4.26.1006

Core Rules Database Version : 3657
Trace Rules Database Version: 1638

Scan type : Complete Scan
Total Scan Time : 04:42:32

Memory items scanned : 926
Memory threats detected : 0
Registry items scanned : 8185
Registry threats detected : 0
File items scanned : 24769
File threats detected : 33

Adware.Tracking Cookie
C:\Documents and Settings\test\Cookies\test@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\test\Cookies\test@questionmarket[2].txt
C:\Documents and Settings\test\Cookies\test@ads.netrition[1].txt
C:\Documents and Settings\test\Cookies\test@c7.zedo[1].txt
C:\Documents and Settings\test\Cookies\test@adbrite[1].txt
C:\Documents and Settings\test\Cookies\test@msnportal.112.2o7[1].txt
C:\Documents and Settings\test\Cookies\test@revsci[2].txt
C:\Documents and Settings\test\Cookies\test@kontera[2].txt
C:\Documents and Settings\test\Cookies\test@apmebf[1].txt
C:\Documents and Settings\test\Cookies\test@interclick[2].txt
C:\Documents and Settings\test\Cookies\test@mediafire[2].txt
C:\Documents and Settings\test\Cookies\test@findarticles[1].txt
C:\Documents and Settings\test\Cookies\test@media6degrees[1].txt
C:\Documents and Settings\test\Cookies\test@mediaplex[1].txt
C:\Documents and Settings\test\Cookies\test@doubleclick[1].txt
C:\Documents and Settings\test\Cookies\test@2o7[1].txt
C:\Documents and Settings\test\Cookies\test@advertising[1].txt
C:\Documents and Settings\test\Cookies\test@a1.interclick[2].txt
C:\Documents and Settings\test\Cookies\test@atdmt[1].txt
C:\Documents and Settings\test\Cookies\test@ad.yieldmanager[1].txt
C:\Documents and Settings\test\Cookies\test@content.yieldmanager[1].txt
C:\Documents and Settings\test\Cookies\test@insightexpressai[1].txt
C:\Documents and Settings\test\Cookies\test@adlegend[2].txt
C:\Documents and Settings\test\Cookies\test@content.yieldmanager.edgesuite[1].txt
C:\Documents and Settings\test\Cookies\test@counter.hitslink[1].txt
C:\Documents and Settings\test\Cookies\test@ads.bridgetrack[1].txt
C:\Documents and Settings\test\Cookies\test@zedo[2].txt
C:\Documents and Settings\test\Cookies\test@safeway.112.2o7[1].txt
C:\Documents and Settings\test\Cookies\test@specificclick[1].txt
C:\Documents and Settings\test\Cookies\test@trafficmp[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\test\Local Settings\Temp\Cookies\test@atdmt[1].txt

Trojan.Downloader-LoaderAdv
C:\DOCUMENTS AND SETTINGS\TEST\TEMPORARY INTERNET FILES\CONTENT.IE5\KR3V69L2\LOADERADV563[1].EXE

__________________________


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/12/2009 at 03:54 AM

Application Version : 4.26.1006

Core Rules Database Version : 3988
Trace Rules Database Version: 1928

Scan type : Quick Scan
Total Scan Time : 00:21:16

Memory items scanned : 797
Memory threats detected : 1
Registry items scanned : 133
Registry threats detected : 1
File items scanned : 0
File threats detected : 2

Trojan.Agent/Gen-Reader_S
C:\WINDOWS\SYSTEM32\READER_S.EXE
C:\WINDOWS\SYSTEM32\READER_S.EXE

Trojan.Unclassified-PQLMQ/AVP
[12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\PQLMQ.EXE
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\PQLMQ.EXE

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:20 PM

Posted 16 July 2009 - 04:45 AM

I have asked someone to look at this thread
Chewy

No. Try not. Do... or do not. There is no try.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 16 July 2009 - 09:30 AM

Hello.

No internet explorer windows were open, but Task manager said the program's being opened by SYSTEM.

I do not see any iexplorer in the Process Explorer log, do you still have that process there in task manager? When you said that iexplorer is being opened by System are you referring to that beside iexplorer.exe and under the username bar at the top, it says "SYSTEM"?

I would like you to scan a few windows files for me due to the fact of that Reader_s.exe detection that SuperAnti-Spyware detected.


Submit Files to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Browse to the following file(s) and scan them one at a time.
  • C:\WINDOWS\system32\winlogon.exe
  • C:\WINDOWS\SYSTEM32\lsass.exe
  • C:\WINDOWS\explorer.exe
  • C:\Windows\system32\userinit.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Post all 4 results in your next reply please.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Damo1234

Damo1234
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 16 July 2009 - 01:10 PM

Hello.

No internet explorer windows were open, but Task manager said the program's being opened by SYSTEM.

I do not see any iexplorer in the Process Explorer log,


Oh, it's iexplore.exe not iexplorer.exe

In fact, two copies were mysteriously open when I ran process explorer.

I've seen up to three copies open at once, without any IE window, since this problem started.

iexplore.exe 6248 Internet Explorer Microsoft Corporation
iexplore.exe 6180 Internet Explorer Microsoft Corporation


When you said that iexplorer is being opened by System are you referring to that beside iexplorer.exe and under the username bar at the top, it says "SYSTEM"?


Yes.

I would like you to scan a few windows files for me due to the fact of that Reader_s.exe detection that SuperAnti-Spyware detected.



For C:\WINDOWS\system32\winlogon.exe I got

File has already been analysed:
MD5: ed0ef0a136dec83df69f04118870003e
First received: 2009.02.11 21:16:03 UTC
Date: 2009.07.16 15:06:09 UTC [<1D]
Results: 1/41
Permalink: http://www.virustotal.com/analisis/45377cb...9b1e-1247756769


_____________
For C:\WINDOWS\SYSTEM32\lsass.exe I got


File has already been analysed:
MD5: bf2466b3e18e970d8a976fb95fc1ca85
First received: 2008.05.21 05:59:13 UTC
Date: 2009.07.15 21:33:49 UTC [<1D]
Results: 1/39
Permalink: http://www.virustotal.com/analisis/f7794b5...b501-1247693629

____________

For C:\WINDOWS\explorer.exe I got


File has already been analysed:
MD5: 12896823fb95bfb3dc9b46bcaedc9923
First received: 2009.02.09 07:59:31 UTC
Date: 2009.07.16 15:14:30 UTC [<1D]
Results: 1/41
Permalink: http://www.virustotal.com/analisis/1e675cb...f455-1247757270

______________________

For C:\Windows\system32\userinit.exe I got

File has already been analysed:
MD5: a93aee1928a9d7ce3e16d24ec7380f89
First received: 2009.02.12 02:28:35 UTC
Date: 2009.07.16 09:03:53 UTC [<1D]
Results: 0/41
Permalink: http://www.virustotal.com/analisis/944cd21...f53f-1247735033


Thanks

Edited by Damo1234, 16 July 2009 - 02:16 PM.


#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:20 PM

Posted 16 July 2009 - 02:32 PM

Would you update MBAM and run a new scan please?
Chewy

No. Try not. Do... or do not. There is no try.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 16 July 2009 - 02:57 PM

Oh, it's iexplore.exe not iexplorer.exe

Sorry, about that, I wasn't looking carefully and also made a typo here..

I've seen up to three copies open at once, without any IE window, since this problem started.

iexplore.exe 6248 Internet Explorer Microsoft Corporation
iexplore.exe 6180 Internet Explorer Microsoft Corporation

I believe you are using Internet explorer 8? Does the "System" still open these iexplore.exe process?

Please do as instructed by Da Chew.

~Extremeboy

Edited by extremeboy, 16 July 2009 - 02:57 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Damo1234

Damo1234
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 16 July 2009 - 07:36 PM

Oh, it's iexplore.exe not iexplorer.exe

Sorry, about that, I wasn't looking carefully and also made a typo here..

I've seen up to three copies open at once, without any IE window, since this problem started.

iexplore.exe 6248 Internet Explorer Microsoft Corporation
iexplore.exe 6180 Internet Explorer Microsoft Corporation

I believe you are using Internet explorer 8? Does the "System" still open these iexplore.exe process?

Please do as instructed by Da Chew.

~Extremeboy



I have explorer 8 on my computer I believe, but I don't use it very often. I haven't intentionally used it in days, it just shows up in the taskmanager.



I ran mbam

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/16/2009 7:11:21 PM
mbam-log-2009-07-16 (19-11-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 323013
Time elapsed: 2 hour(s), 23 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\temp\BN1.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\BN2.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\BN3.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.



I also ran Superantispyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/16/2009 at 06:57 PM

Application Version : 4.26.1006

Core Rules Database Version : 3999
Trace Rules Database Version: 1939

Scan type : Complete Scan
Total Scan Time : 04:05:46

Memory items scanned : 293
Memory threats detected : 0
Registry items scanned : 8252
Registry threats detected : 2
File items scanned : 211112
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\test\Cookies\test@atdmt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@mediaplex[2].txt

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg


Additionally, after restarting I got the message:

Destination component

The path

'C:\DOCUME~1\test\LOCALS~1\Temp\7zS215B.tmp\setup\Destinations\Destinations.msi'
cannot be found. Verify that you have access to this location and try again, or try to find the installation package 'Destinations.msi' in a folder from which you can install the product Destination Component.




Perhaps I am imagining it, but my computer now seems slower in general.

Edited by Damo1234, 16 July 2009 - 07:37 PM.


#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 17 July 2009 - 09:10 AM

Hello again.

Did a quick research on some of the detection MBAM detected and found this link related to it: http://www.threatexpert.com/report.aspx?md...aa1c77fe114fba7

I think it would be better if move you to the Malware Removal forum afterwards, gives us better idea of the information of your computer. I can't be certain you are infected with Virut at the moment.

I would like you to run 2 last scans and I want to see what comes out of them:

Download and Run Security Check

Please Download Security Check by screen317 from here or here and save it to your Desktop.
  • Double click SecurityCheck.exe to run it. Right-click and choose Run as Administrator if you are using Vista
  • Press any key to continue when prompted.
  • Notepad will open soon entitled Checkup.txt
  • Please post the contents of that log in your next reply.
Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

If GMER crashes or if there were any problems, please let me know in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users