Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some sort of bug removed, intermittent hanging w/ mouse


  • This topic is locked This topic is locked
11 replies to this topic

#1 watergrrl

watergrrl

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Denver, CO
  • Local time:02:58 PM

Posted 27 April 2012 - 02:13 AM

I could not run Defogger, Win7 said "You must be administrator to run Defogger." My login is administrator, or at least should be, and was when I first got this machine.

Found this:

http://www.bleepingcomputer.com/forums/topic394929.html/page__st__15__p__2230275__hl__defogger__fromsearch__1#entry2230275

So I skipped step #6 after no response to my original post:

http://www.bleepingcomputer.com/forums/topic450979.html/page__p__2674308__fromsearch__1#entry2674308

------------

- Step 7: Ran
- Step 8: skipped GMER per instructions as i'm running 64bit

Any ideas what I have/had? (sorry, I ran combofix before hitting this site...)



ORIGINAL PROBLEM/POST:
----------------------

Problem: My machine is intermittently sluggish after a clean-up attempt and I fear lingering processes might be running still.

At risk of being too verbose:

I have a brand spanking new work machine - dell latitude E6420; brand spanking new image with Windows7 pro 64-bit, quad core i5, 8GB memory. With this throughput the symptoms aren't super noticible to the unobserving eye but i've been using it and notice new lags.

I don't want the PC guys to re-image and the guy I worked with thought everything was just fine on it. However he didn't know about the "Hide system files (recommended)" setting in windows explorer View menu, so, well, here I am.

Friend's netbook had a bug and I copied files onto a USB stick, opening via notepad on my machine. Well I clicked something wrong and opened the file, not open as notepad, and some sort of window I don't remember popped up. Mighta beena .cab file? Things got a little sluggish after, strange directories started appearing, a bogus user got added, duplicate processes running like Dropbox.exe, but one was not the normal ProgramFiles location. c:\SystemVolumeInformation being created...


Actions 1:
- McAfee - clean scan. Configured profile to not omit any file type (zip or (mme?)) and rescanned - clean.
- Ran Malwarebytes - clean. Don't remember if it was in safe mode.
- Safe mode: autoruns.exe - nixed some processes, don't remember. I'm impulsive...
- deleted bogus user, after which I noticed some of the random behavior went away
- still have a file dd_vsto_ret20MSI5E2F.txt, which says it installed "c:\4cd......90b\trin_trir.msi This isn't normal..

(at this point I plugged in the same flash drive and McAfee EndPoint Detection sniffed out a GameVance executable and deleted it)

Action 2:
- IT Desktop Support guy created new Windows profile
However, strange files/directories still showing up in new profile:
- c:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab and wsus3setup.cab still being updated
- $RECYCLE.BIN directory?? (is this normal win7 ??)
- hidden "Documents and Settings" folder (was told that's an XP-only folder, not win7). Access denied.

Actions 3:
- McAfee - clean scan.
- Configured McAfee profile to _not_ omit any file type (nor zip or (mme?)) and rescanned - clean.
- friend told me to run ComboFix, so ran it. Some .vir files were created in Quarantine.
- Gave up

I'm new to windows7 and the files and folders are a different from XP, and could be normal and I could be paranoid...

I'm suspicious still because the mouse starts to lag on occasion, which shouldn't happen on a new, fast machine. Also, svchost.exe will fire up taking lots of processor on occasion, kicking on the machine's fan. I created a mini dump but haven't figured out how to view it yet.

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 03 May 2012 - 02:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/451620 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 watergrrl

watergrrl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Denver, CO
  • Local time:02:58 PM

Posted 03 May 2012 - 09:11 PM

Replying to autobot response:
----------------------------
===== If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.

A detailed description is on the original post. Again, sorry for running ComboFix before hitting you guys up.
To summarize:
- mouse touchpad loses responsiveness intermittently
- have to request access to folders that should be specific to my profile
- Cannot run some applications or enter some folders, get an error saying I need to have Administrator privileges. My user does have Admin rights.

New behavior:
- I lose the ability to copy/paste via hotkeys or right mouse click. Need to reboot.
- Windows taskbar dies sporadically (every 2 days or so) then restarts. No copy/paste after this.


===== A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
===== If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.

New DDS logs are attached.
I am running 64 bit so no GMER log attached.
Windows 7 Professional 64 bit
- windows edition
- Service Pack 1


===== Please tell us if you have your original Windows CD/DVD available.

No, it's a corporate image and I'm trying to avoid reimaging....


===== Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 08 May 2012 - 02:20 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:58 AM

Posted 13 May 2012 - 04:33 AM

Hello and sorry for the delay! My name is Elise and I'll assist you with this issue.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 watergrrl

watergrrl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Denver, CO
  • Local time:02:58 PM

Posted 14 May 2012 - 01:57 AM

Hi Elise, thanks for the reply.

I mentioned in my earlier posts, I had run ComboFix before finding BleepingComputer. I re-ran it tonight (ComboFix.txt) and I'm attaching both logs, a lot more was removed the first run which might give more info (4-19-2012_ComboFix.txt).

Also, as I was disabling McAffee, I noticed programs have been excluded so I attached these screenshots. I specifically removed all these exclusions a while ago, and they're are back. Some directories don't even exist, like d:\tools\ and and c:\home which might be created/deleted by whatever bugs are here?

Finally, after rebooting after running ComboFix, *something* was quickly flashing around the lower right area of the screen, like something was re-installing. :(

Please advise!

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:58 AM

Posted 14 May 2012 - 07:16 AM

I see nothing wrong here. The symptoms/folders you describe are normal. What actual problems do you ahve that may point to malware (pop ups, redirects and so on)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 watergrrl

watergrrl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Denver, CO
  • Local time:02:58 PM

Posted 14 May 2012 - 11:47 AM

Ok so all the stuff that comboFix put in the quarantine folders are normal programs and don't require any further followup?

The problems I'm having are
- Few times an evening the mouse/trackpad becomes slow and unresponsive for less than a minute interval
- Lose the abilty to copy/paste after a few hours and need to reboot
- Taskbar/explorer crashes once a week and restarts itself (coincidentally corresponding to the copy/paste issue)
- Cannot access some folders or run some programs with the error saying only an admin can run it. My profile is Administrator. Why can't I run these?

If you feel all this is normal for a brand new Win7 64b machine, I'll take your word.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:58 AM

Posted 14 May 2012 - 12:13 PM

On Windows 7 not all folders are accessible, some have system permissions only, that is normal and a safety precaution.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 watergrrl

watergrrl
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Denver, CO
  • Local time:02:58 PM

Posted 20 May 2012 - 08:22 AM

oops, ran it then lost track of the week. Only one thing showed up, I just DL'd it but never installed.
[attachment=124017:ESETresults.txt]
C:\Users\cs18469\Downloads\FreeYouTubeDownload.exe Win32/OpenCandy application deleted - quarantined


So I guess there's no bug then?

Do you think it's the system logger that's causing my mouse to hang?
Haven't had the copy/paste error....since I ran combo fix again, I think.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:58 AM

Posted 20 May 2012 - 10:30 AM

The mouse issue is not caused by malware. Have you tried to use another mouse (external/usb) and does it have the same problems?

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:

    • Press windows key Posted Image + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.

      Posted Image
    • This will remove Combofix and other tools we used from your computer.
  • You can delete any other tool or log by simply deleting them.
Please read the following advice on how to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:58 AM

Posted 27 May 2012 - 03:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users