Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer running very sluggish before and after virus "removal"


  • This topic is locked This topic is locked
8 replies to this topic

#1 SuB-ZeD

SuB-ZeD

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 02 June 2010 - 09:49 PM

Hello,

My computer has contracted a nasty virus. It's pretty much unusable because it's so slow. The virus was at first giving me AntiMalware doctor popups. I seem to have gotten rid of that. Now it's just running slow. A full system scan of Avira Antivir comes up with files like TR/Rootkit.Gen Trojan. The first scan showed 2 infected files (which I removed). The second scan showed about 4 infected files.

What I've done:

I have ran a MBAM Full system scan and have the report ready if required. I have also booted into safemode, ran ATF cleaner and then updated and ran SUPERANTISPYWARE.

I'm not sure how else to describe it but I was wondering if someone could help me with this. Your assistance is greatly appreciated!

Thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:36 PM

Posted 03 June 2010 - 02:25 PM

Hi,please post the MBAM log and SAS log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 03 June 2010 - 07:21 PM

Hello,


MBAM LOG:

***************************************************************
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/2/2010 11:45:26 PM
mbam-log-2010-06-02 (23-45-26).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 256313
Time elapsed: 57 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***************************************************************

SAS Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/01/2010 at 10:29 PM

Application Version : 4.26.1000

Core Rules Database Version : 5018
Trace Rules Database Version: 2821

Scan type : Complete Scan
Total Scan Time : 02:15:12

Memory items scanned : 305
Memory threats detected : 0
Registry items scanned : 6207
Registry threats detected : 0
File items scanned : 119788
File threats detected : 9

Adware.Flash Tracking Cookie
C:\Documents and Settings\singhsu1\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\PRDG3EL8\MEDIA.THEBOOBSMOVIES.COM

Trojan.Agent/Gen-AVP
C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\LOCAL SETTINGS\TEMP\AVP.EXE

Trojan.Dropper/Gen-NV
C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\LOCAL SETTINGS\TEMP\AVP32.EXE

Trojan.Agent/Gen-CDesc[Gen]
C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\LOCAL SETTINGS\TEMP\YFQ.EXE
C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\LOCAL SETTINGS\TEMP\YFT.EXE
C:\DOCUMENTS AND SETTINGS\SINGHSU1\LOCAL SETTINGS\TEMP\YFQ.EXE
C:\DOCUMENTS AND SETTINGS\SINGHSU1\LOCAL SETTINGS\TEMP\YFT.EXE
C:\WINNT\YWUDIA.EXE
C:\WINNT\YWUDIB.EXE

*******************************************************

Thanks!

#4 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 03 June 2010 - 07:49 PM

Also, i'm not sure if this may help but on startup I get a RUNDLL error that says: "Error loading pidarylf.dll The specified module could not be found". Also, it appears that my time on the task bar has switched to military =S. My computer takes literally 10 minutes to load up to the point where it's somewhat useable.

Thanks again for your help!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:36 PM

Posted 04 June 2010 - 08:46 AM

Hi. BC was down for maintenance last night so we need to do a few things now .. First ,did you update MBAM before the scan? I just want to be sure you ran the latest database.
Are the Popups gone?

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. Example: pidarylf.dll
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.


To fix the clock display:

Go to Start >> Control Panel.
Select Regional and Language Options.
In the Standards and Formats section... next to the language you are using... click the Customize...button
Press the Time...tab.
In the Time Format...box, for 12 hour time display... change the format to:

h mm ss tt
or
hh mm ss tt


Select the other display options you want... separator, AM, PM...
When done...click Apply and OK as needed.


Now you may also have too many things runnoing at startup,slowing you down.
Use Process Explorer to see what's running at startup.

Please download and run Process Explorer v11.33
Click on File then Save As, create a log.
Copy and paste it into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 05 June 2010 - 06:49 PM

Hi,

I wasn't able to figure out which item to delete in autoruns because their is too many of them. As for the MBAM log, I believe I did update it before I scanned but I ran another scan just in case after updating:

MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4165

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/5/2010 4:21:40 AM
mbam-log-2010-06-05 (04-21-40).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 256548
Time elapsed: 1 hour(s), 14 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6fcc8d10-9089-44c2-8994-d4864612b504} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fcc8d10-9089-44c2-8994-d4864612b504} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6fcc8d10-9089-44c2-8994-d4864612b504} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\fjmuzdnk.dll (Adware.EZlife) -> Quarantined and deleted successfully.

**************************************************************************************************

Also, here is the Procxp Log:

Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 94.06 0 K 16 K
Interrupts n/a 1.98 0 K 0 K Hardware Interrupts
DPCs n/a 0.99 0 K 0 K Deferred Procedure Calls
System 4 0 K 116 K
smss.exe 936 168 K 116 K Windows NT Session Manager Microsoft Corporation
csrss.exe 988 1,516 K 1,952 K Client Server Runtime Process Microsoft Corporation
winlogon.exe 1016 14,812 K 1,612 K Windows NT Logon Application Microsoft Corporation
services.exe 1060 0.99 21,240 K 6,740 K Services and Controller app Microsoft Corporation
ibmpmsvc.exe 1276 444 K 772 K ThinkPad Power Management Service Lenovo.
ati2evxx.exe 1304 552 K 732 K ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 1320 5,512 K 1,056 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1412 5,308 K 1,648 K Generic Host Process for Win32 Services Microsoft Corporation
EvtEng.exe 1580 6,520 K 1,244 K EvtEng Module Intel Corporation
S24EvMon.exe 1644 2,728 K 776 K Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. Intel Corporation
svchost.exe 1704 31,048 K 6,268 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1752 3,592 K 1,788 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1880 4,116 K 732 K Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 348 5,180 K 768 K Spooler SubSystem App Microsoft Corporation
sched.exe 396 5,132 K 328 K Antivirus Scheduler Avira GmbH
avguard.exe 1724 83,620 K 14,616 K Antivirus On-Access Service Avira GmbH
AppleMobileDeviceService.exe 1780 2,244 K 372 K Apple Mobile Device Service Apple Inc.
mDNSResponder.exe 1816 2,244 K 944 K Bonjour Service Apple Inc.
keyacc32.exe 1992 3,412 K 2,484 K KeyAccess for Windows Sassafras Software Inc.
mdm.exe 580 1,620 K 872 K Machine Debug Manager Microsoft Corporation
ngctw32.exe 952 3,488 K 1,632 K Symantec Ghost Client Agent Symantec Corporation
QCONSVC.EXE 1140 1,440 K 348 K ThinkVantage Access Connections - Service Component. Lenovo
RegSrvc.exe 1540 1,360 K 528 K RegSrvc Module Intel Corporation
SMAgent.exe 1760 524 K 268 K SoundMAX service agent component Analog Devices, Inc.
svchost.exe 2080 3,272 K 1,988 K Generic Host Process for Win32 Services Microsoft Corporation
TPHDEXLG.exe 2144 536 K 692 K ThinkVantage Active Protection System - HDD Logger Module Lenovo.
wdfmgr.exe 2204 2,344 K 516 K Windows User Mode Driver Manager Microsoft Corporation
alg.exe 3100 2,352 K 672 K Application Layer Gateway Service Microsoft Corporation
iPodService.exe 2880 3,056 K 1,272 K iPodService Module Apple Inc.
lsass.exe 1072 15,040 K 1,588 K LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 1624 2,212 K 1,664 K ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 3004 19,324 K 19,268 K Windows Explorer Microsoft Corporation
TPHKMGR.exe 3000 2,248 K 716 K
TPONSCR.exe 2824 596 K 600 K
TpScrex.exe 788 592 K 384 K ThinkPad UltraZoom IBM Corporation
SynTPLpr.exe 2676 1,372 K 628 K TouchPad Driver Helper Application Synaptics, Inc.
SynTPEnh.exe 2724 2,788 K 1,808 K Synaptics TouchPad Enhancements Synaptics, Inc.
SMax4PNP.exe 2744 2,596 K 708 K SMax4PNP MFC Application Analog Devices, Inc.
TpShocks.exe 780 656 K 484 K ThinkVantage Active Protection System Lenovo, Ltd. and IBM Corporation.
TpScrLk.exe 3360 520 K 456 K
tfswctrl.exe 2024 1,716 K 840 K Drive Letter Access Component Sonic Solutions
daemon.exe 240 1,652 K 540 K Virtual DAEMON Manager DAEMON'S HOME
rundll32.exe 272 2,516 K 1,060 K Run a DLL as an App Microsoft Corporation
rundll32.exe 700 3,004 K 1,152 K Run a DLL as an App Microsoft Corporation
EZEJMNAP.EXE 3656 1,348 K 872 K ThinkPad EasyEject Support Application Lenovo Group Limited
QCWLICON.EXE 1912 0.99 6,524 K 2,908 K ThinkVantage Access Connections - Wireless Status Icon. Lenovo
jusched.exe 812 1,028 K 476 K Java™ Platform SE binary Sun Microsystems, Inc.
jucheck.exe 3672 3,084 K 796 K Java™ Update Checker Sun Microsystems, Inc.
QCTRAY.EXE 740 10,260 K 7,908 K ThinkVantage Access Connections - Taskbar Application. Lenovo
QTTask.exe 2264 688 K 368 K QuickTime Task Apple Inc.
iTunesHelper.exe 2340 8,308 K 2,076 K iTunesHelper Module Apple Inc.
avgnt.exe 2608 2,456 K 3,256 K Antivirus System Tray Tool Avira GmbH
BJMYPRT.EXE 1448 756 K 468 K Canon My Printer CANON INC.
ctfmon.exe 2396 996 K 1,456 K CTF Loader Microsoft Corporation
DLG.exe 2392 1,888 K 876 K Digital Line Detection BVRP Software
MediaChecker.exe 3216 4,468 K 1,852 K PLANNING Co., Ltd
ZDWlan.exe 2820 3,036 K 1,704 K IEEE 802.11b+g Wireless LAN Utility MFC Application
WallCal3.exe 2260 3,448 K 3,504 K Desktop Wallpaper Calendar Zepsoft
firefox.exe 3532 187,384 K 127,724 K Firefox Mozilla Corporation
procexp.exe 2640 0.99 22,140 K 25,792 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com

***************************************************************************************************

Thanks again.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:36 PM

Posted 05 June 2010 - 08:06 PM

OK, well We need a deeper look. To remove some things and confirm the items starting,we are moving to another section.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.

Please include this link to this AII topic,
http://www.bleepingcomputer.com/forums/top...ml#entry1787333

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 SuB-ZeD

SuB-ZeD
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 06 June 2010 - 09:13 AM

Hi,

Everything went well. I was able generate all the logs and have followed steps 6 to 9 as requested. Here is a link to my new topic:

http://www.bleepingcomputer.com/forums/t/322041/computer-running-very-slow-mbam-shows-infections-trrootkitgen-trojan-adwareezlife/

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:36 PM

Posted 06 June 2010 - 12:33 PM

Hello,

Now for the hard part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users