Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC randomly slows down massively & ZeroAccess infection?


  • This topic is locked This topic is locked
31 replies to this topic

#1 JJMononoetoe

JJMononoetoe

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 30 December 2016 - 10:01 AM

Hey guys. Making a new post based on my other thread right here: https://www.bleepingcomputer.com/forums/t/636020/some-drives-go-100-on-windows-10-locking-the-computer-up-zeroaccess/

 

To quote myself:

 

 

I've been having some problems with my computer recently. What happens is that my Windows 10 (build 1607) computer slows down to a crawl, eventually becoming completely unusable. At that point only a hard reset helps. There are no error messages and no BSODs. The computer just stops working.

 

I personally think it's related to the Windows Anniversary update, but I can't revert to the previous build now. I was running out of harddrive space on my Windows drive and the only thing I could remove was the previous build. At that time I wasn't having any problems, so I figured it was safe.

 

I've tried disabling some services as suggested by some websites (namely superfetch and windows search), but that hasn't helped. I've done a virus scan with Avira and MBAM and both of them didn't find anything. I figured it might've been related to the new AMD ReLive drivers, but uninstalling them and running on basic Windows drivers didn't make the problem go away.

 

I have since run RKill, which produced an enormous logfile with a lot of entries referring to "ZEROACCESS Reparse Point/Junction found". I'm not sure if this is at all related to the problem I described before, but either way this sounds problematic.

 

What can and should I do?

 

TL;DR: I'm having incredibly bad slowdown issues that are triggered seemingly randomly. When using RKill I noticed a lot of ZeroAccess related notes. I have since been asked to post a FRST log. I added both FRST files as an attachment.

 

Thanks for the help!

 

EDIT: Using the ESET SysRescue tool returned no threats.

Attached Files


Edited by JJMononoetoe, 30 December 2016 - 12:26 PM.


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:55 PM

Posted 03 January 2017 - 09:17 AM

JJMononoetoe:
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and  I would like to address you by your first name, if that is alright with you since we will be working together.
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
In the meantime, would you please re-run RKill for me, and copy and paste the contents of the RKill log into a reply, as soon as is convenient for you.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#3 JJMononoetoe

JJMononoetoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 03 January 2017 - 09:59 AM

Alright, awesome.

 

Uh, this is weird. When I ran it the other day I got a gargantuan log file, but now it can't find any traces of the ZeroAccess things:

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/03/2017 03:53:58 PM in x64 mode.
Windows Version: Windows 10 Pro 

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Advanced Explorer Setting Removed:  HideIcons [HKCU]

Backup Registry file created at:
 C:\Users\Joshua\Desktop\rkill\rkill-01-03-2017-03-54-00.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity: 

 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]

 * agp440 [Missing ImagePath]

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * Cannot edit the HOSTS file.
 * Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

Program finished at: 01/03/2017 03:54:12 PM
Execution time: 0 hours(s), 0 minute(s), and 13 seconds(s)

Do a ZeroAccess Reparse Points/Junctions just disappear like that?



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:55 PM

Posted 03 January 2017 - 10:43 AM

JJMononoetoe:

 

Thank you for your post and the RKill log.  Nothing serious there.  The driver errors reported are a bug that is associated with the Windows 10 Build 1607 and that will be fixed in the future.

 

There is a reason that I always ask for fresh logs, if a user is reporting malware.  I need to see for myself.  Strange things happen, what can I say?

 

Your FRST logs are massive!  It could take me a few days to get through all 3,394 lines, since I am also helping other people, but I will endeavor to reply as soon as I can.

 

In the meantime, would you please rename your copy of FRST64.exe to FRST64english.exe.  This will force the output into English.  I don't read Dutch.  No need to run any more scans right now, but I am working on creating your FRST fixlist.txt file and the output from running that file will be in English to make it easier for me.

 

I thank you for your patience.  Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:55 PM

Posted 03 January 2017 - 02:14 PM

JJMononoetoe:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.  In your case, you will have to split up your FRST log files into separate responses of about 1,200 lines each.  You have some 3,390 or so lines of logs, which exceeds the maximum reply post length on this Forum.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: In going over your logs I noticed that you have BitTorrent and Resilio Sync installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent and Resilio Sync, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep them, please do not use them until your computer is declared clean.

.

:step2: In going over your logs, I saw the entry below in Installed Programs:

 

ePUBee DRM Removal (HKLM-x32\...\ePUBee DRM Removal) (Version: 3.1.5.2 - ePUBee Inc.)

 

The entry causes me some concern. That program permits users to duplicate ebooks that are protected by Digital Rights Management (DRM). What are using that program for?

.

:step3: The "Addition.txt" file reveals that System Restore is deactivated. For your protection, because malware removal can have unintended consequences, I strongly recommend that you turn on System Restore and configure it. As a part of any FRST "fixes", I will always instruct FRST to create a System Restore Point, so that if something goes wrong, we can get your computer back to where it was BEFORE a FRST fix was run. See this link for instructions as to how to turn on and configure System Restore.  In Windows 10, for some reason, it is off by default, presumably to save space, and you don't have a lot of space on your C: drive, which is an issue.  I would not allocate more than 5 GB to System Restore points.

.

The logs indicate that you are a SERIOUS gamer. In my first pass through your logs, I did not see anything really serious, BUT using P2P networks, as I explained above, is a major attack vector for malware, as well consuming considerable computer resources. In addition to P2P software, you are running Steam. This link contains more information about the security vulnerabilities, and the drain on your computer resources, by having Steam installed and running. I don't know the specs of your computer, but with all of the installed programs and all of the allowed communications (see "Firewall Rules" in the "Addition.txt" file), your computer could be just becoming overwhelmed by the drain on its resources and then inevitably grinding to a halt.

I will await your response to my question in :step2:. Bleeping Computer does not condone evading software or intellectual property licensing provisions, so I need to understand why you would have such software installed. There could be a legitimate reason. I am making NO allegations. Once we get that settled, I will provide a FRST fix to do some clean-up of your computer - nothing too serious.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#6 JJMononoetoe

JJMononoetoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 03 January 2017 - 09:26 PM

In regards to Bittorrent and Sync, I know what I'm doing, but thanks for the warning :) It's always important to be careful when it comes to such things. Also, I use Sync for work documents.

 

Regarding the ePUBee DRM Removal, I actually forgot I had that installed. I once bought an ebook from an online store and discovered afterwards that I could only read it in Adobe Editions. That program is absolutely awful, both on desktop and on mobile. I'm fine with Amazon Kindle because that actually works, but Adobe Editions is just absolutely awful and I refuse to deal with that trainwreck. So no, it's not for spreading the book or something. I just wanted to read it.

 

Interesting that system restore is turned off by default. Yeah, I'll turn it on.



#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:55 PM

Posted 04 January 2017 - 09:34 AM

JJMononoetoe:
 
Thanks for your post and the explanation of the ePUBee DRM Removal program that I saw.  I have absolutely no issues with the use that you described.  That does not contravene Forum policies.
 
It is your computer, of course, but I would not go near any P2P network software.  That is just asking for trouble.  Please don't use it until we get your computer cleaned.
 
.

:step1: Please run a FRST "Fix" for me, AFTER you have renamed FRST64.exe to FRST64english.exe.

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It is important that both files, FRST64english.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

GroupPolicy: Restrictie <======= AANDACHT
FF Extension: (BetterTTV) - C:\Users\Joshua\AppData\Roaming\Mozilla\Firefox\Profiles\zxzE4kDu.default\Extensions\firefox@betterttv.net.xpi [2016-05-20]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Joshua\AppData\Local\Google\Chrome\User Data\WidevineCdm\1.4.8.903\_platform_specific\win_x86\widevinecdmadapter.dll => Geen bestand
CHR Plugin: (Shockwave Flash) - C:\Users\Joshua\AppData\Local\Google\Chrome\User Data\PepperFlash\23.0.0.166\pepflashplayer.dll => Geen bestand
S3 CsrBtPort; \SystemRoot\system32\DRIVERS\CsrBtPort.sys [X]
S3 csrpan; \SystemRoot\System32\drivers\csrpan.sys [X]
S3 csrserial; \SystemRoot\system32\DRIVERS\csrserial.sys [X]
S3 csrusb; \SystemRoot\System32\Drivers\csrusb.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
Folder: C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}
Folder: C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}
Folder: C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}
Folder: C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}
Folder: C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}
File: C:\WINDOWS\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
Task: {33706B04-75C3-4832-A17A-36B8ED8F33DC} - \CCleanerSkipUAC -> Geen bestand <==== AANDACHT
  • Right click FRST64english.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.

.

 

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#8 JJMononoetoe

JJMononoetoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 04 January 2017 - 11:33 AM

Alright, here's the log. Also, do you still need a new FRST log in English?

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by Joshua (04-01-2017 17:26:44) Run:1
Running from C:\Users\Joshua\Downloads
Loaded Profiles: Joshua & postgres (Available Profiles: Joshua & postgres)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:

GroupPolicy: Restrictie <======= AANDACHT
FF Extension: (BetterTTV) - C:\Users\Joshua\AppData\Roaming\Mozilla\Firefox\Profiles\zxzE4kDu.default\Extensions\firefox@betterttv.net.xpi [2016-05-20]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Joshua\AppData\Local\Google\Chrome\User Data\WidevineCdm\1.4.8.903\_platform_specific\win_x86\widevinecdmadapter.dll => Geen bestand
CHR Plugin: (Shockwave Flash) - C:\Users\Joshua\AppData\Local\Google\Chrome\User Data\PepperFlash\23.0.0.166\pepflashplayer.dll => Geen bestand
S3 CsrBtPort; \SystemRoot\system32\DRIVERS\CsrBtPort.sys [X]
S3 csrpan; \SystemRoot\System32\drivers\csrpan.sys [X]
S3 csrserial; \SystemRoot\system32\DRIVERS\csrserial.sys [X]
S3 csrusb; \SystemRoot\System32\Drivers\csrusb.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
Folder: C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}
Folder: C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}
Folder: C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}
Folder: C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}
Folder: C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}
File: C:\WINDOWS\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
Task: {33706B04-75C3-4832-A17A-36B8ED8F33DC} - \CCleanerSkipUAC -> Geen bestand <==== AANDACHT
*****************

Restore point was successfully created.
Processes closed successfully.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\Users\Joshua\AppData\Roaming\Mozilla\Firefox\Profiles\zxzE4kDu.default\Extensions\firefox@betterttv.net.xpi => moved successfully
C:\Users\Joshua\AppData\Local\Google\Chrome\User Data\WidevineCdm\1.4.8.903\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
C:\Users\Joshua\AppData\Local\Google\Chrome\User Data\PepperFlash\23.0.0.166\pepflashplayer.dll => not found.
HKLM\System\CurrentControlSet\Services\CsrBtPort => key removed successfully
CsrBtPort => service removed successfully
HKLM\System\CurrentControlSet\Services\csrpan => key removed successfully
csrpan => service removed successfully
HKLM\System\CurrentControlSet\Services\csrserial => key removed successfully
csrserial => service removed successfully
HKLM\System\CurrentControlSet\Services\csrusb => key removed successfully
csrusb => service removed successfully
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully

========================= Folder: C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597} ========================

2016-12-25 05:16 - 2016-12-25 05:16 - 0000112 ____C () C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}\instance.dat
2016-12-25 05:16 - 2014-09-22 10:22 - 0579156 ____C () C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}\mia.lib
2016-12-25 05:16 - 2016-12-25 05:16 - 0000544 ____C () C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}\West Africa Setup PC.dat
2016-12-25 05:16 - 2014-09-22 10:22 - 4099313 ____C (Native Instruments                                                                                                                                                                                                                                                                                          ) C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}\West Africa Setup PC.exe
2016-12-25 05:16 - 2014-09-22 10:22 - 0360448 ____C () C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}\West Africa Setup PC.msi
2016-12-25 05:16 - 2016-12-25 05:16 - 0004097 ____C () C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}\West Africa Setup PC.par
2016-12-25 05:16 - 2014-09-22 10:22 - 11029020 ____C () C:\ProgramData\{4849B481-B731-442E-B77C-529D90CCC597}\West Africa Setup PC.res

====== End of Folder: ======


========================= Folder: C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0} ========================

2016-12-25 05:09 - 2016-12-25 05:09 - 0000109 ____C () C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}\instance.dat
2016-12-25 05:09 - 2013-10-10 17:56 - 0579156 ____C () C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}\mia.lib
2016-12-25 05:09 - 2016-12-25 05:09 - 0000520 ____C () C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}\Rammfire Setup PC.dat
2016-12-25 05:09 - 2013-10-10 17:56 - 4073176 ____C (Native Instruments                                                                                                                                                                                                                                                                                          ) C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}\Rammfire Setup PC.exe
2016-12-25 05:09 - 2013-10-10 17:56 - 0360448 ____C () C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}\Rammfire Setup PC.msi
2016-12-25 05:09 - 2016-12-25 05:09 - 0002977 ____C () C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}\Rammfire Setup PC.par
2016-12-25 05:09 - 2013-10-10 17:56 - 11029022 ____C () C:\ProgramData\{9608D7A3-DD22-4121-8066-31C4251301D0}\Rammfire Setup PC.res

====== End of Folder: ======


========================= Folder: C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D} ========================

2016-12-25 05:07 - 2016-12-25 05:07 - 0000124 ____C () C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}\instance.dat
2016-12-25 05:07 - 2016-12-25 05:07 - 0000606 ____C () C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}\Kontakt Factory Library Setup PC.dat
2016-12-25 05:07 - 2016-03-09 10:27 - 4234172 ____C (Native Instruments                                                                                                                                                                                                                                                                                          ) C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}\Kontakt Factory Library Setup PC.exe
2016-12-25 05:07 - 2016-03-09 10:27 - 0638976 ____C () C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}\Kontakt Factory Library Setup PC.msi
2016-12-25 05:07 - 2016-12-25 05:07 - 0004381 ____C () C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}\Kontakt Factory Library Setup PC.par
2016-12-25 05:07 - 2016-03-09 10:27 - 27497113 ____C () C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}\Kontakt Factory Library Setup PC.res
2016-12-25 05:07 - 2016-03-09 10:27 - 0579156 ____C () C:\ProgramData\{D32EE6FB-8B59-452B-8203-AD46E434361D}\mia.lib

====== End of Folder: ======


========================= Folder: C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8} ========================

2016-12-25 04:54 - 2016-12-25 04:54 - 0000619 ____C () C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}\Berlin Concert Grand Setup PC.dat
2016-12-25 04:54 - 2012-02-07 14:41 - 4451784 ____C (Native Instruments                                                                                                                                                                                                                                                                                          ) C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}\Berlin Concert Grand Setup PC.exe
2016-12-25 04:54 - 2012-02-07 14:41 - 0312832 ____C () C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}\Berlin Concert Grand Setup PC.msi
2016-12-25 04:54 - 2016-12-25 04:54 - 0004275 ____C () C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}\Berlin Concert Grand Setup PC.par
2016-12-25 04:54 - 2012-02-07 14:41 - 12138181 ____C () C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}\Berlin Concert Grand Setup PC.res
2016-12-25 04:54 - 2016-12-25 04:54 - 0000121 ____C () C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}\instance.dat
2016-12-25 04:54 - 2012-02-07 14:41 - 0579156 ____C () C:\ProgramData\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}\mia.lib

====== End of Folder: ======


========================= Folder: C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015} ========================

2016-12-25 04:49 - 2016-12-25 04:49 - 0000650 ____C () C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}\Battery 3 Setup PC.dat
2016-12-25 04:49 - 2011-08-17 12:07 - 4404336 ____C (Native Instruments                                                                                                                                                                                                                                                                                          ) C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}\Battery 3 Setup PC.exe
2016-12-25 04:49 - 2011-08-17 12:07 - 0455168 ____C () C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}\Battery 3 Setup PC.msi
2016-12-25 04:49 - 2016-12-25 04:49 - 0014199 ____C () C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}\Battery 3 Setup PC.par
2016-12-25 04:49 - 2011-08-17 12:07 - 12226152 ____C () C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}\Battery 3 Setup PC.res
2016-12-25 04:49 - 2016-12-25 04:49 - 0000110 ____C () C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}\instance.dat
2016-12-25 04:49 - 2011-08-17 12:07 - 0579156 ____C () C:\ProgramData\{544A9B13-F375-4543-8198-54A1542E6015}\mia.lib

====== End of Folder: ======


========================= File: C:\WINDOWS\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf ========================

File not signed
MD5: 
Creation and modification date: 2016-12-23 17:16 - 2016-12-23 17:16
Size: 0000000
Attributes: ---AH
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 

====== End of File: ======

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{33706B04-75C3-4832-A17A-36B8ED8F33DC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{33706B04-75C3-4832-A17A-36B8ED8F33DC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC => key not found. 


The system needed a reboot.

==== End of Fixlog 17:27:00 ====


#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:55 PM

Posted 04 January 2017 - 12:26 PM

JJMononetoe:

Thank you for the fixlog.txt. That looked good. Those C:\ProgramData\{CLSID} folders that I was wondering about are a part of Native Instruments installers, so they are not of concern, since you have many components of that software installed.

I don't require another set of FRST logs just yet, but thank you for the offer. I would like you to run a few standard scans for me, please, since not everything is detected by FRST. We will see what shows up and go from there.

.

:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!


.

:step2: I know that you said that you did run Malwarebytes scan that was negative, so let's do an Emsisoft scan just to double check.

ZN3USrZ.png Emsisoft Emergency Kit

  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png

Please Copy and Paste the contents of the scan log in your next reply.


.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#10 JJMononoetoe

JJMononoetoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 05 January 2017 - 11:09 AM

Just did both scans, and I don't think anything necessarily malicious popped up:

 

ESET Log:

D:\Programs\System\Cheat Engine 6.4\standalonephase1.dat	een variant van Win32/HackTool.CheatEngine.AF potentieel onveilige toepassing	opgeschoond door te verwijderen
E:\Mijn documenten\Downloads\ccsetup504.exe	Win32/Bundled.Toolbar.Google.D potentieel onveilige toepassing	verwijderd
E:\Mijn documenten\Downloads\produkey.zip	een variant van Win32/PSWTool.ProductKey potentieel onveilige toepassing	verwijderd

Potentieel onveilige toepassing = Potentially insecure application

Opgeschoond door te verwijderen = Cleaned by deletion

 

I did end up cleaning it, but Cheat Engine is a commonly detected false positive. It's a program that can alter program memory, which I ocasionally use for one of my games in a non-harmful way (getting myself items because I'm lazy, usually).

 

EMSI Log:

Emsisoft Emergency Kit - Version 12.0
Scan log

Datum	Scan Methode	Objecten Gescand	Objecten Gedetecteerd	Duur	Type	Computer Name	
5-1-2017 15:16:55	Malware	88152	0	0:02:05	Handmatige scan	GAMING_MACHINE	

EMSI didn't find anything.



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:55 PM

Posted 05 January 2017 - 12:01 PM

JJMonoetoe:
 
Thanks for your post.  You are right.  Nothing of real consequence in the logs.
 
I think that the next thing we should do, since I don't think malware is responsible, at this point in time (always subject to change), is to check your system files.
 
 
:step1: Please run an System File Checker (SFC) scan to assess the integrity of the Windows 10 file system.

  • Click on the "Start" button.
  • In the "search" box at the bottom, type cmd.
  • Look for Cmd.exe to appear at the top of the menu.
  • Right-click on cmd.exe and choose Run As Administrator.
  • Type sfc /scannow. Ensure that there is a space between "sfc" and "/scannow"
  • The scan will start and may take from 20 minutes to an hour to run.
  • Please report the results from the System File Checker in your next post. Does it report "No Resource Integrity Violations Found", "Errors Repaired", or "Unable to Repair", or words to that effect?

If SFC reports uncorrectable errors, please immediately navigate to the folder: C:\Windows\Logs\CBS, locate the file "CBS.log, and copy, not move it, to your Desktop. That file is "volatile", so we need to ensure that it is not overwritten with new results.

.

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#12 JJMononoetoe

JJMononoetoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 05 January 2017 - 08:24 PM

Alright! I ran the test and it's saying that it didn't find any integrity violations!



#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:55 PM

Posted 06 January 2017 - 10:28 AM

JJMononoetoe:

Thank you for your post. That is great news that there are not any resource integrity violations detected by the System File Checker.

Let's check your hard disk. Bad sectors or a corrupted file system might account for some computer sluggishness.

.

:step1: To determine if your C: drive is an SSD or conventional hard drive for Windows 8/8.1. or 10, please press the Windows logo key and search for "optimize" in the Windows Start menu. Select: Defragment and optimize your drives. See this link for more information.
For Windows 7 and earlier, please the Windows logo key + R together, then type control and press the <Enter> key. Click on "System and Security" and then click on "Device Manager". Next, click on "Disk Drives" to open up a list of disk drives on your computer. If it is an SSD drive, it should say so in the description; but if you are not sure, "Google" the model number of the drive that you want to run chkdsk on.

It is important not to run chkdsk /r on an SSD as it will lead to excessive wear and shorten the life of an SSD. For SSD drives, use the chkdsk /f command.

  • Please open an Elevated Command Prompt. To do this:
    • Press the Windows "Start" button.
    • Type "cmd.exe" into the "Search" box.
    • At the top of the list that generates, you should see "cmd.exe".
    • Right click "cmd.exe" and select "Run as Administrator".
  • Type the following command exactly: chkdsk /r unless you have an SSD hard drive, in which case, type chkdsk /f.
  • Please note that there is a space between "chkdsk" and "/r" or "/f".
  • You will get a message that the volume is locked and do you want to reboot.
  • Click on "Yes" to permit the computer to reboot.
  • When the computer reboots, do not press any keys. Let the chkdsk run, which will take several hours.
  • The computer will reboot automatically when the "chkdsk" has finished.

Please follow the instructions here to find the results of the "chkdsk" scan.

Please copy and paste those results into your next reply.

You should run this command when you will not need your computer. The chkdsk scan can take five to ten hours, or more, depending on whether the hard drive is SSD or conventional, and the size and amount of data on the drive.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#14 JJMononoetoe

JJMononoetoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 08 January 2017 - 08:04 PM

Sorry for the late response. I ran it on my Windows drive (C:). Do you want me to run it on my other drives as well?



Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.                         

Stage 1: Examining basic file system structure ...
  603648 file records processed.                                                         File verification completed.
  16806 large file records processed.                                      0 bad file records processed.                                      
Stage 2: Examining file name linkage ...
  733944 index entries processed.                                                        Index verification completed.
  0 unindexed files scanned.                                           0 unindexed files recovered to lost and found.                     
Stage 3: Examining security descriptors ...
Cleaning up 88 unused index entries from index $SII of file 0x9.
Cleaning up 88 unused index entries from index $SDH of file 0x9.
Cleaning up 88 unused security descriptors.
Security descriptor verification completed.
  65149 data files processed.                                            CHKDSK is verifying Usn Journal...
  120184784 USN bytes processed.                                                            Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

 116757503 KB total disk space.
  82195800 KB in 311918 files.
    185448 KB in 65150 indexes.
         0 KB in bad sectors.
    797055 KB in use by the system.
     65536 KB occupied by the log file.
  33579200 KB available on disk.

      4096 bytes in each allocation unit.
  29189375 total allocation units on disk.
   8394800 allocation units available on disk.

Internal Info:
00 36 09 00 eb bf 05 00 6f 6b 0a 00 00 00 00 00  .6......ok......
4a 0f 00 00 17 79 00 00 00 00 00 00 00 00 00 00  J....y..........

Windows has finished checking your disk.
Please wait while your computer restarts.

It was actually done in a minute or so!



#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:55 PM

Posted 09 January 2017 - 01:09 PM

JJMononoetoe:

Thank you for your post. OK, so we know that your system files are good and that there are no hard disk errors. That is good news.

Let's have a look for some other potential culprits that might be causing the slowdown.

.

:step1: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

.

:step2: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users