Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

still slow after all these years


  • Please log in to reply
8 replies to this topic

#1 rustymecco

rustymecco

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 07 February 2011 - 02:36 PM

a friend brought me his computer. he had clicked on a malware scan and then the popups wouldn't leave him alone. prior to that the computer was running very slow. it also would not allow windows update. i ran defogger, rkunhooker, malwarebytes, tdsskiller, removed some unwanted programs, cleaned up the startup entries, cleared the java cache, ran tfc, ran malwarebytes again, did the online eset scan. everything was coming up clean, but was still running a little slow at times. got the windows update issue straightened out and did the updates. then things started going downhill again. back to not being able to update. still running slow or slower. could use some help please.

BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:05 AM

Posted 07 February 2011 - 02:55 PM

I didn't see mention of using any AV utility. If I were you I'd post in the Am I Infected forum here.

#3 rustymecco

rustymecco
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 07 February 2011 - 03:03 PM

will do.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:05 AM

Posted 07 February 2011 - 03:41 PM

EDIT: I moved this from XP to the Am I Infected forum...

Hello, Let's try this way..

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 07 February 2011 - 03:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 rustymecco

rustymecco
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 09 February 2011 - 10:08 AM

rebootd in safe mode,
ran rkill,
ran superantispyware, here's log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2011 at 08:29 AM

Application Version : 4.48.1000

Core Rules Database Version : 6365
Trace Rules Database Version: 4155

Scan type : Complete Scan
Total Scan Time : 01:31:05

Memory items scanned : 270
Memory threats detected : 1
Registry items scanned : 7019
Registry threats detected : 0
File items scanned : 61573
File threats detected : 44

Trojan.Agent/Gen-Virut
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISSCH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM .EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM .EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\JAVA\JAVA UPDATE\JUSCHED.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\LINKSYS WIRELESS-G USB WIRELESS NETWORK MONITOR\INVOKESVC3.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QUICKTIME\QTTASK .EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QUICKTIME\QTTASK.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRA~1\SYMANT~1\SYMANT~1\VPTRAY.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\DOCKQUICKINSTALL\CPPCH.EXE.VIR

Adware.Tracking Cookie
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@www.mediaquantics[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@amtk-media[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@adecn[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@cirrus.adcloudmedia[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@server.cpmstar[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@themediaczar[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@adserver.adtechus[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@ads.parkingpath[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@ads.pointroll[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@doubleclick[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@track.freegiftcenter[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@ads.react2media[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@apmebf[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@media6degrees[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@eyewonder[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@eas.apm.emediate[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@ad.yieldmanager[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@questionmarket[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@media.adsvelocity[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@beachstreetmedia[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@cdn1.trafficmp[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@pointroll[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@atdmt[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@mediaplex[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@serving-sys[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@bs.serving-sys[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@zedo[2].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@edgeadx[1].txt
C:\Documents and Settings\rusty.MECCO-W6RMUSWC6\Cookies\rusty@invitemedia[2].txt

Rogue.Agent/Gen
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\0RWI2KG0.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{98794244-F04A-4BE0-A83B-206BDDFD0157}\RP8\A0007366.EXE

Trojan.Agent/Gen-MSFake
C:\WINNT\SYSTEM32\BOOTHOST.DLL

Trojan.Dropper/Win-NV
C:\WINNT\SYSTEM32\EXEFILE.EXE

rebooted in normal mode, ran rkill,
ran mbam, here's log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5718

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/9/2011 9:30:24 AM
mbam-log-2011-02-09 (09-30-24).txt

Scan type: Quick scan
Objects scanned: 198883
Time elapsed: 13 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINNT\system32\us?rinit.exe (Rogue.Antivirus2010) -> Delete on reboot.

during the process, while running sas, got several pop-ups from "internet security 2011", was able to stop it and continue.
computer is working but still slow opening a new program or switching between screens.

thanks for your help

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:05 AM

Posted 09 February 2011 - 11:29 AM

Hello, it looks like you have a Virut infection.. Combofix and SAS has removed some of it but it will not get it all.

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a dangerous polymorphic file infector with IRCBot functionality which infects .exe, .scr files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of damage can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/Virut

Virut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes' has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.


This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 rustymecco

rustymecco
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 09 February 2011 - 11:41 AM

thanks for the info. i'll get started on the rebuild right away.
could it have infected my flashdrive that i keep my utilities on?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:05 AM

Posted 09 February 2011 - 11:52 AM

Yes it would.. Run this on it and any other machine that drive connected to.

Download and Run FlashDisinfector

You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


When you plug the drive into the clean computer make sure you hold down the SHIFT key, which will stop any AutoRuns from executing. You can then run this tool:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 rustymecco

rustymecco
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 09 February 2011 - 01:16 PM

thanks for the extra advice.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users