Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer with Multiple Issues


  • Please log in to reply
4 replies to this topic

#1 driven2distraction

driven2distraction

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 06 July 2010 - 03:59 AM

Hi there, and thanks in advance,

This computer is small and old and has always been slower than the amount of RAM would suggest, ever since when it was new it would not create restore CDs and the "fix" under warranty after two unsuccessful re-imagings was to put a slightly different image on the computer. It runs Win XP SP 3 and has 248 MB of RAM but chokes on some programmes that should run on half of that.

About 3 weeks ago the computer got seriously slower than usual. I restored it using the Restore Partition back to the initial restore point. Since then it has been attracting malware at quite a rate (I have not had this happen before) and it is now very slow again.

I have been running Avira Antivir for quite some time because it doesn't slow it down much. Avira started giving quite a few warnings that it had caught this or that, or that E:/Autorun.inf had been blocked by Avira's guard. E is the recovery partition. Because issues kept happening I bought BitDefender, which the computer could not handle. Too large, too crashy. RAM requirements weren't on the box, but I now know they are in excess of what I have.

So I have run AdAware and Spybot S&D and had Avast (which I already knew slowed the system down a lot) in and out of the computer. Everything catches something but the malware keeps coming, as do the Autorun.inf messages. I have been looking for some kind of grandaddy of all malware that is calling the others in, rightly or wrongly.

I did some online Panda Active Scans. Today it showed a couple of tracking cookies (doubleclick and apmebf) and the following two files:
C:\program files\hpq\default settings\cpqset.exe as a Generic Malware Virus/Trojan
and
C:\program files\oberon media\magic ball 2\magicball2.exe as a suspicious file.
Interestingly, Avira had shown an interest in magicball.exe earlier, and dealt with it in some way. It is part of the image on my computer so if it is inherently problematic (rather than just being a place malware chose to hide after the restore) the problem may recur if I restore the system again.

Then I got stupid. I downloaded the free Panda Cloud Antivirus to deal with the problems and installed it without uninstalling Avira. My system is so slow that you click on something and wait several minutes for a response. Typing works, thank goodness, but nothing else is instant. Panda caught a couple of things, cpqset.exe and another thing that led back to the same generic malware page. It was C:\SystemVolumeInformation\_restore(EBOCF6AE-1AAA-478F-8168-27C82E451995}\RP17\A0002874.exe . Now I can't copy and paste that so it may not be exact, and zero may be letter o and so on, but hopefully you get the idea. It also found 18 tracking cookies, but didn't send any messages about magicball.exe.

Now I have to get Panda Cloud Antivirus out, and Microsoft.NET 2 which it brought with it which also slows my system down. However, I can't figure out how to submit the files anywhere in case they are false positives which I would like to do first. cpqset.exe is supposed to be in my computer. There are two files in the quarantine area, but they are presumably encrypted and the original files are no longer visible in the original locations.

After I do that, I would like to know the most logical thing to do next, as I am somewhat baffled by this ongoing saga. All help appreciated.

BC AdBot (Login to Remove)

 


#2 driven2distraction

driven2distraction
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 06 July 2010 - 04:36 PM

Hi again,

I have found what to do about checking for false positives with Panda Cloud. I have to restore the files that have been quarantined, I cannot send the encrypted files I found within quarantine. This info found here: http://www.cloudantivirus.com/forum/thread...&tstart=135

I think I will restore them and uninstall Panda Cloud as it is clearly too big for my machine at present. Then it will hopefully be able to zip them and send them in a reasonable amount of time! I will also submit them to Threat Expert or someone like that with known rapid response times.

Then I must figure out what to try next to get to the bottom of the sudden increase in malware reports from Avira.

#3 driven2distraction

driven2distraction
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 06 July 2010 - 04:46 PM

You know what's freaky? - I clicked the restore arrow on one file in quarantine, and Panda Cloud restored them both! On this particular occasion I wanted to restore them both, but how often would you want to restore everything in quarantine? Let's hope it was a user error on my part, because that doesn't seem like a very desirable way to operate to me.

#4 driven2distraction

driven2distraction
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 06 July 2010 - 10:51 PM

Threat Expert deemed those files to be harmless so I have submitted them to Panda as false positives. Computer is back to one resident antivirus (or shall we say owner is back to getting it right) and I also uninstalled Microsoft.NET Framework 2.0 which I know disagrees with my computer, and something I discovered that had been installed by Ad-Aware to check Outlook e-mails. I don't use this computer for e-mails in the normal course of events.

The computer is now running as well as it ever has (slow and steady) and Avira hasn't sent me any malware or autorun.inf messages yet today. I can't see why the steady stream of malware has slowed or stopped, but I am enjoying it while it lasts. My concern now is what to do if it starts up again, because I have no idea why it started in the first place.

#5 driven2distraction

driven2distraction
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 07 July 2010 - 01:44 AM

The computer was slowing down again within half an hour of making the last post. I downloaded MBAM which I hadn't tried before after reading about it in the forum here. It found Spyware.MarketScore in three places in the registry keys. That was a really specific finding, I thought, after lots of suspicious this and generic that found by other programmes.

I also noticed that Avira sends the autorun.inf message when MBAM is scanning the part of the restore petition where autorun.inf is - presumably exactly as it scans it. (After MBAM found and dealt with MarketScore, my paranoia is now such that I rebooted and scanned again in case anything else popped up - no new problems but the autorun.inf message was exactly on cue again).

Maybe we are getting somewhere.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users