Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've got the itch: Is it a virus?


  • Please log in to reply
5 replies to this topic

#1 commonalias

commonalias

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:05:12 PM

Posted 21 July 2009 - 08:45 AM

Hi, my computer recently started telling me that the C:/windows/temp file was corrupt and I should run "chkdsk". I've done that, but it's corrupted some of my files. I've ran Webroot Security and RegCure Registry, but they don't solve the issue. Please let me know what to do to remove this virus! One clue: WRconsumerservice.exe takes up 98% CPU Processes when the computer is sluggish.

Thanks!
Preston

BC AdBot (Login to Remove)

 


#2 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:12 PM

Posted 21 July 2009 - 09:53 AM

Hi and Welcome to BleepingComputer,

I would start out by doing a scan with Malwarebytes...

It can be downloaded from any of these places...

http://www.malwarebytes.org/mbam.php

alternate download link 1 (easiest way)
http://malwarebytes.gt500.org/mbam-setup.exe

alternate download link 2
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

Double-click on mbam-setup.exe to install the application. (If it will not download, install, or open after installation, change the name of it to whatever you want and change the .exe extension to .bat or .com or .pif or scr and then double click on it to run.)

When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:

Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.

Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process.

After running that scan, post the complete log of the results here and then download, install, update and run a quick scan with SuperAntiSpyware and post the complete log of the results here. This scan may take some time to complete so please be patient.

That can be downloaded from SuperAntiSpyware.com

If it will not download, install, or open after installation, change the name of it to whatever you want and change the .exe extension to .bat or .com or .pif or scr and then double click on it to run.

If possible, both programs should be run in regular Windows, not safe mode. Allow both programs to remove whatever they find and if they tell you that you need to reboot your computer to complete the removal process, reboot into normal Windows.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 PM

Posted 21 July 2009 - 12:46 PM

WRConsumerService.exe is related to the Webroot Client Service.

...I should run "chkdsk". I've done that, but it's corrupted some of my files.

Chkdsk is a disk error checking utility that verifies the logical integrity of a file system. As you use your hard drive, it can develop bad sectors which slow down hard disk performance and make data writing difficult. Chkdsk scans the hard drive and will check the files and folders for file system errors, lost clusters, lost chains, and bad sectors. When encountering logical inconsistencies in file system data, it will perform the necessary actions to repair the file system data.

Chkdsk will create and display a status report for a disk based on the file system and will list and correct errors on the disk. If used without parameters, chkdsk displays the status of the disk in the current drive. Chkdsk scans the disk structures and disk surface for possible errors and inconsistencies in separate phases. During the first few phases, it checks the FAT or NTFS for lost clusters, cross-linked files and inconsistent directories. When these steps are completed, it asks you whether you want to run a full scan, during which it actually reads every single sector to prove that it is readable.

...I've ran...RegCure Registry

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.Have you tried using System Restore or System Restore from a command prompt in Safe Mode to return to a previous state before your problems began?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:05:12 PM

Posted 21 July 2009 - 01:45 PM

Wow, that's quite a bit of useful information. The info is much appreciated! The Registry facts were an eye-opener, and probably something most consumers aren't aware of. I'll discontinue the weekly sweeps schedule.

I have not implemented System Restore. And can't say with confidence that WRConsumerService is the culprit -- its suspicious to me that it takes up so much CPU processes (~98%)

Here's the malwarebytes log. Supersweeper to follow....

Malwarebytes' Anti-Malware 1.39
Database version: 2473
Windows 5.1.2600 Service Pack 3

7/21/2009 2:18:04 PM
mbam-log-2009-07-21 (14-18-04).txt

Scan type: Quick Scan
Objects scanned: 126631
Time elapsed: 54 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:05:12 PM

Posted 21 July 2009 - 03:06 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/21/2009 at 03:23 PM

Application Version : 4.26.1006

Core Rules Database Version : 4005
Trace Rules Database Version: 1945

Scan type : Quick Scan
Total Scan Time : 00:35:51

Memory items scanned : 424
Memory threats detected : 0
Registry items scanned : 430
Registry threats detected : 0
File items scanned : 14821
File threats detected : 92

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@statcounter[1].txt
C:\Documents and Settings\User\Cookies\user@iacas.adbureau[1].txt
C:\Documents and Settings\User\Cookies\user@hc2.humanclick[1].txt
C:\Documents and Settings\User\Cookies\user@insightexpressai[2].txt
C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[1].txt
C:\Documents and Settings\User\Cookies\user@imrworldwide[2].txt
C:\Documents and Settings\User\Cookies\user@media.mtvnservices[2].txt
C:\Documents and Settings\User\Cookies\user@serving-sys[1].txt
C:\Documents and Settings\User\Cookies\user@bonniercorp.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@adecn[1].txt
C:\Documents and Settings\User\Cookies\user@a1.interclick[3].txt
C:\Documents and Settings\User\Cookies\user@adbrite[3].txt
C:\Documents and Settings\User\Cookies\user@fastclick[1].txt
C:\Documents and Settings\User\Cookies\user@oasn04.247realmedia[1].txt
C:\Documents and Settings\User\Cookies\user@yieldmanager[1].txt
C:\Documents and Settings\User\Cookies\user@www.burstbeacon[1].txt
C:\Documents and Settings\User\Cookies\user@nextag[1].txt
C:\Documents and Settings\User\Cookies\user@trafficmp[1].txt
C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[2].txt
C:\Documents and Settings\User\Cookies\user@burstbeacon[1].txt
C:\Documents and Settings\User\Cookies\user@traveladvertising[1].txt
C:\Documents and Settings\User\Cookies\user@www.burstnet[1].txt
C:\Documents and Settings\User\Cookies\user@msnbc.112.2o7[2].txt
C:\Documents and Settings\User\Cookies\user@ads.shorttail[1].txt
C:\Documents and Settings\User\Cookies\user@ads.bleepingcomputer[2].txt
C:\Documents and Settings\User\Cookies\user@2o7[1].txt
C:\Documents and Settings\User\Cookies\user@hc2.humanclick[3].txt
C:\Documents and Settings\User\Cookies\user@ads.lucidmedia[1].txt
C:\Documents and Settings\User\Cookies\user@counter2.sextracker[2].txt
C:\Documents and Settings\User\Cookies\user@adtech[2].txt
C:\Documents and Settings\User\Cookies\user@richmedia.yahoo[2].txt
C:\Documents and Settings\User\Cookies\user@www.pornhub[11].txt
C:\Documents and Settings\User\Cookies\user@extrovert.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@www.adultadvertising[1].txt
C:\Documents and Settings\User\Cookies\user@www.pornhub[10].txt
C:\Documents and Settings\User\Cookies\user@apmebf[1].txt
C:\Documents and Settings\User\Cookies\user@pornhub[1].txt
C:\Documents and Settings\User\Cookies\user@adinterax[3].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\User\Cookies\user@usatoday1.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@revsci[3].txt
C:\Documents and Settings\User\Cookies\user@address4sex[1].txt
C:\Documents and Settings\User\Cookies\user@www.googleadservices[3].txt
C:\Documents and Settings\User\Cookies\user@kontera[2].txt
C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[4].txt
C:\Documents and Settings\User\Cookies\user@media6degrees[2].txt
C:\Documents and Settings\User\Cookies\user@burstnet[1].txt
C:\Documents and Settings\User\Cookies\user@questionmarket[1].txt
C:\Documents and Settings\User\Cookies\user@adserver.adtechus[2].txt
C:\Documents and Settings\User\Cookies\user@ads.undertone[1].txt
C:\Documents and Settings\User\Cookies\user@casalemedia[1].txt
C:\Documents and Settings\User\Cookies\user@pornhut[1].txt
C:\Documents and Settings\User\Cookies\user@atdmt[1].txt
C:\Documents and Settings\User\Cookies\user@collective-media[2].txt
C:\Documents and Settings\User\Cookies\user@sextracker[1].txt
C:\Documents and Settings\User\Cookies\user@realmedia[1].txt
C:\Documents and Settings\User\Cookies\user@www.pornhub[5].txt
C:\Documents and Settings\User\Cookies\user@tacoda[1].txt
C:\Documents and Settings\User\Cookies\user@overture[2].txt
C:\Documents and Settings\User\Cookies\user@farecastcom.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@xxxcounter[1].txt
C:\Documents and Settings\User\Cookies\user@ads.pointroll[1].txt
C:\Documents and Settings\User\Cookies\user@at.atwola[1].txt
C:\Documents and Settings\User\Cookies\user@bs.serving-sys[2].txt
C:\Documents and Settings\User\Cookies\user@snapfish.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@specificmedia[3].txt
C:\Documents and Settings\User\Cookies\user@www.pornhub[9].txt
C:\Documents and Settings\User\Cookies\user@zedo[1].txt
C:\Documents and Settings\User\Cookies\user@doubleclick[2].txt
C:\Documents and Settings\User\Cookies\user@www.pornhub[8].txt
C:\Documents and Settings\User\Cookies\user@equityresidential.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt
C:\Documents and Settings\User\Cookies\user@specificclick[1].txt
C:\Documents and Settings\User\Cookies\user@msnportal.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@ads.foodbuzz[2].txt
C:\Documents and Settings\User\Cookies\user@eyewonder[1].txt
C:\Documents and Settings\User\Cookies\user@f.blogads[3].txt
C:\Documents and Settings\User\Cookies\user@interclick[3].txt
C:\Documents and Settings\User\Cookies\user@chitika[2].txt
C:\Documents and Settings\User\Cookies\user@optimize.indieclick[1].txt
C:\Documents and Settings\User\Cookies\user@ads.belointeractive[2].txt
C:\Documents and Settings\User\Cookies\user@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@adlegend[2].txt
C:\Documents and Settings\User\Cookies\user@247realmedia[2].txt
C:\Documents and Settings\User\Cookies\user@trvlnet.adbureau[2].txt
C:\Documents and Settings\User\Cookies\user@advertising[1].txt
C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[3].txt
C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
C:\Documents and Settings\User\Cookies\user@dc.tremormedia[3].txt
C:\Documents and Settings\User\Cookies\user@media1.break[1].txt
C:\Documents and Settings\User\Cookies\user@data.coremetrics[1].txt
C:\Documents and Settings\User\Cookies\user@CA5H1W80.txt

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:12 PM

Posted 22 July 2009 - 06:22 AM

Nothing of significant concern showing in your logs.

...can't say with confidence that WRConsumerService is the culprit -- its suspicious to me that it takes up so much CPU processes (~98%)

As I said previously, that process is related to your Webroot program. You can try disabling the service as part of troubleshooting the high cpu problem or contact Webroot Support/Submit a question to Webroot Online Customer Support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users