Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer slow after Trojan attack


  • This topic is locked This topic is locked
50 replies to this topic

#1 Tzivitzonis

Tzivitzonis

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:06:30 PM

Posted 22 December 2012 - 03:29 PM

Hi to all!
I have read similar topics concerning the title. I open this new topic, seeking for help...

About 2 weeks ago I was infected with a Sirefef EZ and EV Trojan variants. The trojans were detected by my AV (NOD32), but it could not remove/delete them. I sought for help in Google. I was driven to a forum where there was a link to some ESET tool that supposed to remove the trojan(s) (ESETSirefefRemover). I ran the tool and after the reboot there was no NOD32 notification of any malware present, either in the active memory nor anywhere else. After that my pc is running slower than a running snail... :mellow: I checked C: for errors with check-disk and defraged the disk also. No luck after these steps either... :huh: I also downloaded and installed MBAM, but this also found no threats

I am not sure as to what log I should paste here, so I give the one from ESET and below the one from MBAM, for now:
EDIT 23/12/2012 - 11:36am
I came accross the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help and read about DDS, so I post this log also!

ESET log
13/12/2012 Real-time file system protection file C:\System Volume Information\_restore{F9A26F7F-51E4-46B5-A29E-C3DE77B534B1}\RP235\A0026919.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined XP\gianel Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
11/12/2012 Real-time file system protection file C:\System Volume Information\_restore{F9A26F7F-51E4-46B5-A29E-C3DE77B534B1}\RP235\A0026907.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
11/12/2012 Real-time file system protection file C:\System Volume Information\_restore{F9A26F7F-51E4-46B5-A29E-C3DE77B534B1}\RP235\A0026886.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
11/12/2012 Real-time file system protection file C:\System Volume Information\_restore{F9A26F7F-51E4-46B5-A29E-C3DE77B534B1}\RP235\A0026873.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
10/12/2012 Real-time file system protection file C:\System Volume Information\_restore{F9A26F7F-51E4-46B5-A29E-C3DE77B534B1}\RP235\A0026865.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
10/12/2012 Real-time file system protection file C:\System Volume Information\_restore{F9A26F7F-51E4-46B5-A29E-C3DE77B534B1}\RP235\A0026858.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
10/12/2012 Real-time file system protection file C:\System Volume Information\_restore{F9A26F7F-51E4-46B5-A29E-C3DE77B534B1}\RP234\A0025858.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
10/12/2012 Real-time file system protection file C:\System Volume Information\_restore{F9A26F7F-51E4-46B5-A29E-C3DE77B534B1}\RP234\A0024858.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.
10/12/2012 Real-time file system protection file C:\WINDOWS\system32\Drivers\netbt.sys.vir Win32/Sirefef.DA trojan cleaned by deleting - quarantined XP\gianel Event occurred on a new file created by the application: C:\Documents and Settings\gianel\My Documents\Received files\ESETSirefefRemover.exe.
10/12/2012 Startup scanner file Operating memory » services.exe(776) probably a variant of Win32/Sirefef.EV trojan unable to clean XP\gianel
10/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan deleted XP\gianel
10/12/2012 Startup scanner file Operating memory » services.exe(780) probably a variant of Win32/Sirefef.EV trojan unable to clean
10/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan deleted
10/12/2012 Startup scanner file Operating memory » services.exe(780) probably a variant of Win32/Sirefef.EV trojan unable to clean XP\gianel
10/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan deleted XP\gianel
9/12/2012 Startup scanner file Operating memory » services.exe(780) probably a variant of Win32/Sirefef.EV trojan unable to clean XP\gianel
9/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan XP\gianel
9/12/2012 Startup scanner file Operating memory » services.exe(780) probably a variant of Win32/Sirefef.EV trojan unable to clean
9/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan
9/12/2012 Startup scanner file Operating memory » services.exe(780) probably a variant of Win32/Sirefef.EV trojan unable to clean XP\gianel
9/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan XP\gianel
9/12/2012 Startup scanner file Operating memory » services.exe(776) probably a variant of Win32/Sirefef.EV trojan unable to clean XP\gianel
9/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan XP\gianel
9/12/2012 Startup scanner file Operating memory » services.exe(784) probably a variant of Win32/Sirefef.EV trojan unable to clean XP\gianel
9/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan deleted XP\gianel
9/12/2012 Startup scanner file Operating memory » services.exe(768) probably a variant of Win32/Sirefef.EV trojan unable to clean
9/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan deleted
9/12/2012 Startup scanner file Operating memory » services.exe(768) probably a variant of Win32/Sirefef.EV trojan unable to clean XP\gianel
9/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan deleted XP\gianel
9/12/2012 Startup scanner file Operating memory » services.exe(768) probably a variant of Win32/Sirefef.EV trojan unable to clean XP\gianel
9/12/2012 Startup scanner file Operating memory » \GLOBAL??\37716e1b\WINDOWS\$NtUninstallKB22890$\930180635\Desktop.ini a variant of Win32/Sirefef.EZ trojan deleted XP\gianel

Malware Bytes' log
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.13.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
gianel :: XP [administrator]

Protection: Enabled

13/12/2012 10:06:45 πμ
mbam-log-2012-12-13 (10-06-45).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 272201
Time elapsed: 54 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TNod (Trojan.Agent.CK) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\TNod User & Password Finder\uninst-tnod.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

(end)

DDS log
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by gianel at 11:28:20 on 2012-12-23
Microsoft Windows XP Professional 5.1.2600.3.1253.30.1032.18.3070.2340 [GMT 2:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\BHPS\Pmap1\bin\MapperMonService.exe
C:\Program Files\BHPS\JRE160\bin\javaw.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\BHPS\lic\bin\lmgrd.exe
C:\Program Files\BHPS\lic\bin\lmgrd.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\BHPS\lic\bin\bhepcls.exe
C:\Program Files\BHPS\SZNW\bin\DBMonService.exe
C:\Program Files\BHPS\SZNW\bin\tbmux32.exe
C:\Program Files\BHPS\SZNW\bin\QLinkService.exe
C:\Program Files\BHPS\SZNW\bin\tbkern32.exe
C:\Documents and Settings\gianel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\gianel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\gianel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\gianel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\gianel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.gr/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\gianel\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Nokia Tray Application] c:\program files\common files\nokia\ncltools\NclTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\f2da~1\599a~1\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CA015AC0-AD7F-4AAB-9ECF-57261F2D84B7} - hxxp://www.snaponbusinesssolutions.com/downloads/LicensingControl.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{815D4E6E-2828-47E4-B32F-5AC1F59CB0C5} : DHCPNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-12-21 94872]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-12-13 399432]
R2 pqeauto.database.dbmonitor.SZNW;pqeauto.database.dbmonitor.SZNW;c:\program files\bhps\sznw\bin\dbmonservice.exe -sn"pqeauto.database.dbmonitor.sznw" -f"c:\program files\bhps\sznw\bin\dbmonitorcmds.ini" --> c:\program files\bhps\sznw\bin\DBMonService.exe -snpqeauto.database.dbmonitor.SZNW [?]
R2 pqeauto.energy.mappermonitor;pqeauto.energy.mappermonitor;c:\program files\bhps\pmap1\bin\mappermonservice.exe -sn"pqeauto.energy.mappermonitor" -f"c:\program files\bhps\pmap1\bin\mappermonitorcmds.ini" --> c:\program files\bhps\pmap1\bin\MapperMonService.exe -snpqeauto.energy.mappermonitor [?]
R2 QLinkService.SZNW;QLinkService.SZNW;c:\program files\bhps\sznw\bin\QLinkService.exe [2012-10-3 126976]
R2 Snap-on Product License Manager;Snap-on Product License Manager;c:\program files\bhps\lic\bin\lmgrd.exe [2012-10-3 1423440]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2011-12-23 44032]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-12-13 676936]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-12-23 1684736]
S3 cpuz134;cpuz134;\??\c:\docume~1\gianel\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\gianel\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-13 22856]
S3 Snap-on Integration - Professional;Snap-on Integration - Professional;c:\program files\bhps\per\PELiteWindowsService.exe [2010-5-4 90112]
S4 SirefefRemover;SirefefRemover;c:\windows\system32\drivers\SirefefRemover.sys [2012-12-10 21264]
.
=============== Created Last 30 ================
.
2012-12-18 14:14:01 -------- d-----w- c:\documents and settings\gianel\application data\SUPERAntiSpyware.com
2012-12-18 14:12:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-18 14:12:14 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-12-15 23:59:40 2412 ----a-w- c:\windows\system32\ASOROSet.bin
2012-12-15 23:52:20 -------- d-----w- c:\documents and settings\gianel\application data\Nico Mak Computing
2012-12-15 23:52:10 17224 ----a-w- c:\windows\system32\roboot.exe
2012-12-15 23:52:07 -------- d-----w- c:\program files\WinZip Registry Optimizer
2012-12-13 08:04:53 -------- d-----w- c:\documents and settings\gianel\application data\Malwarebytes
2012-12-13 07:39:52 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-12-13 07:39:51 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-13 07:39:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-10 14:15:32 21264 ----a-w- c:\windows\system32\drivers\SirefefRemover.sys
2012-12-09 09:27:04 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-09 00:06:24 -------- d-----w- c:\program files\Mega Codec Pack
2012-12-02 15:20:13 -------- d-----w- c:\program files\YourFileDownloader
2012-12-02 15:20:13 -------- d-----w- c:\documents and settings\gianel\application data\YourFileDownloader
.
==================== Find3M ====================
.
2012-12-10 14:15:17 162816 ----a-w- c:\windows\system32\drivers\netbt.sys.org
2012-12-09 09:27:04 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-10 21:29:59 6266 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys
2012-11-06 18:19:17 1409 ----a-w- c:\windows\QTFont.for
2012-10-03 19:27:17 344064 ----a-w- c:\windows\system32\msvcr70.dll
2012-09-24 12:32:24 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 12:32:20 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 10:51:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 11:28:45,54 ===============


I appreciate any help in advance! :thumbsup:

Edited by Tzivitzonis, 23 December 2012 - 05:03 AM.

Posted Image

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 25 December 2012 - 09:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#3 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:06:30 PM

Posted 25 December 2012 - 11:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

Hi nasdaq! Thanx for the welcome and for volunteering to help! :clapping:

I will be running the tests (hopefully today) in the order you suggested and post the logs/results to see.
One next thing: Tomorrow 26/12 and 27/12 I will be away from the PC, so I will see you on the 28th
:wink:
Posted Image

#4 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:06:30 PM

Posted 25 December 2012 - 06:16 PM

I ran the fixes/tests and here are the logs/results:

-------------ComboFix.txt---------------
ComboFix 12-12-10.01 - gianel 25/12/2012 18:47:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1253.30.1032.18.3070.2520 [GMT 2:00]
Running from: c:\documents and settings\gianel\+Ώώ?-Ίίώά ί±ήά?-ά?\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\6C682F6109.sys
c:\windows\system32\drivers\SirefefRemover.sys
c:\windows\system32\roboot.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SirefefRemover
-------\Service_SirefefRemover
.
.
((((((((((((((((((((((((( Files Created from 2012-11-25 to 2012-12-25 )))))))))))))))))))))))))))))))
.
.
2012-12-18 14:14 . 2012-12-18 14:14 -------- d-----w- c:\documents and settings\gianel\Application Data\SUPERAntiSpyware.com
2012-12-18 14:12 . 2012-12-18 14:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-18 14:12 . 2012-12-18 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-12-15 23:59 . 2012-12-16 00:04 2412 ----a-w- c:\windows\system32\ASOROSet.bin
2012-12-15 23:52 . 2012-12-15 23:52 -------- d-----w- c:\documents and settings\gianel\Application Data\Nico Mak Computing
2012-12-15 23:52 . 2012-12-15 23:56 -------- d-----w- c:\program files\WinZip Registry Optimizer
2012-12-13 08:04 . 2012-12-13 08:04 -------- d-----w- c:\documents and settings\gianel\Application Data\Malwarebytes
2012-12-13 07:39 . 2012-12-13 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-12-13 07:39 . 2012-12-13 07:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-13 07:39 . 2012-09-29 17:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-13 07:26 . 2012-12-13 07:36 -------- d-----w- c:\documents and settings\Administrator
2012-12-09 09:40 . 2012-12-09 09:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-12-09 09:27 . 2012-12-09 09:27 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-09 00:06 . 2012-12-09 00:06 -------- d-----w- c:\program files\Mega Codec Pack
2012-12-02 15:20 . 2012-12-02 15:27 -------- d-----w- c:\program files\YourFileDownloader
2012-12-02 15:20 . 2012-12-02 15:20 -------- d-----w- c:\documents and settings\gianel\Application Data\YourFileDownloader
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-10 14:15 . 2012-12-10 14:15 162816 ----a-w- c:\windows\system32\drivers\netbt.sys.org
2012-12-09 09:27 . 2011-12-23 15:41 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-10 21:29 . 2012-01-08 21:09 6266 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2012-11-06 18:19 . 2012-11-06 18:19 1409 ----a-w- c:\windows\QTFont.for
2012-10-03 19:27 . 2012-10-03 19:27 344064 ----a-w- c:\windows\system32\msvcr70.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-09-19 . 3932A44BFC26F301F6F14FAFEE2328DB . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2012-12-09 00:06 220160 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-12 17887232]
"nwiz"="nwiz.exe" [2009-04-30 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2003-01-03 425984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [21/12/2010 3:04 μμ 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [21/12/2010 1:47 μμ 94872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/7/2011 6:27 μμ 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/7/2011 11:55 μμ 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/7/2012 8:54 μμ 116608]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/1/2011 4:41 μμ 810144]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [13/12/2012 9:39 πμ 399432]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13/12/2012 9:39 πμ 676936]
R2 pqeauto.database.dbmonitor.SZNW;pqeauto.database.dbmonitor.SZNW;c:\program files\BHPS\SZNW\bin\DBMonService.exe -sn"pqeauto.database.dbmonitor.SZNW" -f"c:\program files\BHPS\SZNW\bin\DBMonitorCmds.ini" --> c:\program files\BHPS\SZNW\bin\DBMonService.exe -snpqeauto.database.dbmonitor.SZNW [?]
R2 pqeauto.energy.mappermonitor;pqeauto.energy.mappermonitor;c:\program files\BHPS\Pmap1\bin\MapperMonService.exe -sn"pqeauto.energy.mappermonitor" -f"c:\program files\BHPS\Pmap1\bin\MapperMonitorCmds.ini" --> c:\program files\BHPS\Pmap1\bin\MapperMonService.exe -snpqeauto.energy.mappermonitor [?]
R2 QLinkService.SZNW;QLinkService.SZNW;c:\program files\BHPS\SZNW\bin\QLinkService.exe [3/10/2012 9:31 μμ 126976]
R2 Snap-on Product License Manager;Snap-on Product License Manager;c:\program files\BHPS\lic\bin\lmgrd.exe [3/10/2012 8:51 μμ 1423440]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [23/12/2011 1:37 μμ 44032]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/12/2012 9:39 πμ 22856]
S?2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/7/2012 12:28 μμ 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [23/12/2010 12:39 μμ 1684736]
S3 cpuz134;cpuz134;\??\c:\docume~1\gianel\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\gianel\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 Snap-on Integration - Professional;Snap-on Integration - Professional;c:\program files\BHPS\PER\PELiteWindowsService.exe [4/5/2010 10:43 μμ 90112]
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 19:56]
.
2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 19:56]
.
2012-12-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1417001333-1435225099-1004Core.job
- c:\documents and settings\gianel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-24 08:00]
.
2012-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1417001333-1435225099-1004UA.job
- c:\documents and settings\gianel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-24 08:00]
.
2012-12-25 c:\windows\Tasks\Registry Optimizer_DEFAULT.job
- c:\program files\WinZip Registry Optimizer\Winzipro.exe [2012-12-15 23:56]
.
2012-12-15 c:\windows\Tasks\Registry Optimizer_UPDATES.job
- c:\program files\WinZip Registry Optimizer\Winzipro.exe [2012-12-15 23:56]
.
2012-12-18 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 5fc651c8-8ffd-4fa8-add8-f702d54bf685.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-12-25 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task f87bc46b-093e-4c7d-97ac-14939e26d7ba.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-12-25 c:\windows\Tasks\YourFile DownloaderUpdate.job
- c:\program files\YourFileDownloader\YourFileUpdater.exe [2012-12-02 15:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: {CA015AC0-AD7F-4AAB-9ECF-57261F2D84B7} - hxxp://www.snaponbusinesssolutions.com/downloads/LicensingControl.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-25 19:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3700)
c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\BHPS\Pmap1\bin\MapperMonService.exe
c:\program files\BHPS\JRE160\bin\javaw.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\BHPS\lic\bin\bhepcls.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\BHPS\SZNW\bin\DBMonService.exe
c:\program files\BHPS\SZNW\bin\tbmux32.exe
c:\program files\BHPS\SZNW\bin\tbkern32.exe
c:\windows\system32\imapi.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\rundll32.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-12-25 19:02:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-25 17:02
.
Pre-Run: 7 Κατάλογοι 33.735.553.024 διαθέσιμα byte
Post-Run: 8 Κατάλογοι 33.834.127.360 διαθέσιμα byte
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D136FEC460CAE97D965A843B79E33AF2

-------------Security Check (checkup.txt)---------------
Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
ESET NOD32 Antivirus 4.2
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware έκδοση 1.65.1.1000
CCleaner
Java™ 6 Update 26
Java™ 6 Update 37
Java version out of Date!
Adobe Flash Player 11.1.102.55
Adobe Reader 10.1.4 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C::
````````````````````End of Log``````````````````````


-------------AdwCleaner[R1].txt---------------
# AdwCleaner v2.102 - Logfile created 12/25/2012 at 19:08:27
# Updated 23/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : gianel - XP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\gianel\Επιφάνεια εργασίας\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\gianel\Application Data\yourfiledownloader
Folder Found : C:\Program Files\yourfiledownloader

***** [Registry] *****

Key Found : HKCU\Software\Softonic

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\gianel\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1036 octets] - [25/12/2012 19:08:27]

########## EOF - C:\AdwCleaner[R1].txt - [1096 octets] ##########


........let me know if the problem persists.

Startup boot-time is a bit faster now, but the opening of a program (i.e. Outlook xpress, Chrome, Winword, etc) is not. For example, I startup the pc, letting all drivers to load and the HDD to settle. I then run Chrome, which takes about 20 sec to show up fully operational at the Google Home Page. :huh:

Waiting for further instructions (if any) keeping in mind that:

One next thing: Tomorrow 26/12 and 27/12 I will be away from the PC, so I will see you on the 28th

:wink:
Posted Image

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 26 December 2012 - 11:24 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26
Java™ 6 Update 37


Java 7 update 10 introduces important new security controls
You can read about it here.
http://nakedsecurity.sophos.com/2012/12/19/java-7-update-10-introduces-important-new-security-controls/

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..
===

Delete this file in bold is still present.
c:\windows\Tasks\YourFile DownloaderUpdate.job

Restart the computer normally.

Post the log and let me know what problem persists.

#6 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:06:30 PM

Posted 28 December 2012 - 12:16 PM

Hi nasdaq! :busy:
Back on the pc again, so here is what I've done after your last post:

1) Java and Adobe Reader successfully updated.
2) Log of AdwCleaner:

# AdwCleaner v2.103 - Logfile created 12/28/2012 at 18:13:15
# Updated 25/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : gianel - XP
# Boot Mode : Normal
# Running from : C:\Documents and Settings\gianel\Τα έγγραφά μου\Ληφθέντα αρχεία\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\gianel\Application Data\yourfiledownloader
Folder Deleted : C:\Program Files\yourfiledownloader

***** [Registry] *****

Key Deleted : HKCU\Software\Softonic

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\gianel\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1054 octets] - [28/12/2012 18:13:15]

########## EOF - C:\AdwCleaner[S1].txt - [1114 octets] ##########

3) Deletion of c:\windows\Tasks\YourFile DownloaderUpdate.job
4) I restarted the pc and let it log onto windows. I also uninstalled 1-2 unwanted programs (i.e. MBAM that had expired) and shut the pc down. I timed the boot time, from the power-on button click to logging in to windows till the HDD came to a rest (not a VERY busy led lighting). It was about 5min and the networking tray icon lit up at approx. 4.5 min :blink: Chrome needs about 45sec to open up at Google search home page. :o After the task AdwCleaner did, chrome preferences file said it was damaged. Anyway I set the preferences again and proceeded.

It seems like I am clean regarding adware and trolls like that, but the system is still slow... Shall I re-do some hdd error fixes with check-disk, any defragment?? I have a feeling that my registry is a mess, and when I click to open chrome, for example, the pc goes through a labyrinth to work out what that click of mine was... :wacko:
Posted Image

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 28 December 2012 - 01:23 PM

I would remove Chrome using the Add/Remove Programs and reinstall a fresh copy.

===


Download ATF Cleaner by Atribune from here hereand save it to your Desktop.
Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache


The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

* The purpose of Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.
===

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Keep me posted.

#8 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:06:30 PM

Posted 28 December 2012 - 03:35 PM

Firstly, thanx for the reply! :thumbup2:

As for the cookies clean-up...: you suggested that I re-install Chrome. Wouldn't this delete ALL cookies (the un-installation of my current Chrome I mean) in the first place? If so, is the next step of ATF-cleaner necessary?


As for the ESET online scan: I use the ESET NOD32 Antivirus. Is it necessary to scan my system with the online-scan, or my local AV will do the same job?


Just asking for clarifications before I proceed to the steps you suggested...

Edited by Tzivitzonis, 28 December 2012 - 03:36 PM.

Posted Image

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 29 December 2012 - 08:12 AM

As for the cookies clean-up...: you suggested that I re-install Chrome. Wouldn't this delete ALL cookies (the un-installation of my current Chrome I mean) in the first place? If so, is the next step of ATF-cleaner necessary?


Making sure that all the cookies are remove will not take much of your time.
My primary purpose was to clean the Prefetch folder.

Forget about Eset for now.

#10 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:06:30 PM

Posted 29 December 2012 - 06:50 PM

Ok, let's see...
A fresh Chrome has been installed.
ATF Cleaner was run as instructed.
ESET scan was not performed for now.


You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.

This may be happening, as boot time has improved a bit. From power-on click to logging into windows (and HDD settles down a bit) takes about 3min now and the network tray icon comes up at 2.5min (from 4.5!!). Chrome and other programs I frequently use, take up about the same time to open, although a little improvement was observed.


Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.

Can I change that manually somehow?
Posted Image

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 30 December 2012 - 09:05 AM

Can I change that manually somehow?

No it's a function of the Operating System.

===

Lets check the integrity of your files.

Restart the computer, select the Recovery Console before it defaults to the Operating system. ( You have approx. 2 sec to do it)

At the DOS prompt type sfc /scannow hid the enter key.

Let it finish.

Any improvement?

#12 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:06:30 PM

Posted 30 December 2012 - 09:34 AM

Restart the computer, select the Recovery Console before it defaults to the Operating system. (You have approx. 2 sec to do it)

I have less! :( In fact, the Concole just blinks! And it continues to load Windows...
Can I pause it somehow so I have the time to select Recovery Console?
Posted Image

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 30 December 2012 - 09:43 AM

Open the C:\boot.ini file with NotePad.

Change the timeout=2 under the boot loader section.

[boot loader]
timeout=2

Change it to 10 like this.
timeout=10 ... No space before the 10.

Save the file.

Restart the computer normally.

p.s.
Make sure that you do not change any other setting - important.

You can change it back to 2 or change it to 5.

#14 Tzivitzonis

Tzivitzonis
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece
  • Local time:06:30 PM

Posted 30 December 2012 - 04:14 PM

After changing the boot.ini as showed, I managed to get to the prompt of the Console! :thumbup2:
Typed sfc /scannow and the message was: "The command is not recognised. Type HELP for a list of supported commands" :blink:

I searched in Google if there is such a command for Win XP and came accross to this. I also tried the sfc /scannow /offbootdir=c:\ /offwindir=c:\windows command but the message was the same as above... :wacko: If I tried it from the cmd (under Start -> Run...) ??
Posted Image

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 31 December 2012 - 08:58 AM

Restart the computer with the Recovery console.

Type CDM hit the enter key.

at the prompt type

sfc /scannow

Any luck?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users