CPU infected - Asking for malware removal help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by FRT, Aug 24, 2010.

  1. FRT

    FRT Private E-2

    OS: Windows XP Pro SP2

    My CPU has been running odd for the past 5 days. Programs would stop on their own, I received a black screen, and programs were laboring to load. I had not run Spybot search and destroy for about a month, so I thought that would perhaps find some problem. iI have always had success in locating problems with spybot in the past. I also have used Lavasoft Adaware in conjunction. I tried to run Spybot, but the system was incredibly slow. In one instance Spybot crashed, another instance it ran for about 9 hours and was only 1/10 its way through the scan list, and another time it ran faster (though still very slow compared to how it used to run) but did not find any problems. I then ran a fresh install of Adaware, which took many hours to run, and that came up with no problems also. While the programs were taking a painfully long time to run, the hard drive would have a constant "marching" sound coming from it.

    At this point I found your forum on Malware removal, and began to systematically work through the step by step process. I had used MSConfig in the past to stop programs from startup, so when I set to normal mode (Step 4) and rebooted, the CPU ground to a complete halt taking eons to load and not allowing any programs to run (unless I waited 30 mins. for my explorer to open) at normal operating speed. I must have unleashed prior malware hidden in the cpu, though I am not sure. The "marching" described earlier occurred constantly now. I tried to reboot into safe mode, and this slightly improved the boot time, but still programs were taking forever to load. Something was causing problems. I rebooted to safe mode again and tried a system restore, but every system restore I tried for the past 3 weeks would fail.

    I was able to use add/remove programs, HJT, and the windows services to remove programs I was not using, to clean-up the startup, and to change services that were not needed to run automatically to manual. Some programs would not remove in Safe Mode. Though, no longer is MSConfig being used!

    At this point, a boot into safe mode became more reasonable, but still slow, and still lots of "marching" from the hard drive during the boot and login procedure and when any program was attempted to be executed.

    I then completed all of the steps and began with Step 7 for Windows XP.

    I completed all of the downloads without any problems.

    SuperAntiSpyware and MalwareBytes Antimalware both found malware on the CPU and cleaned it sucessfully. I tried to boot into Normal windows mode and it was more reasonable than before. Safe mode worked much, much better, with only "marching" occurring when I logged in for about a minute. Still, when programs were started, "marching" occurred, making things slow to run.

    I was unable to run ComboFix. I tried multiple times, and it would never complete a scan, though it did find things, but would hang up and never fix nor create a log.

    I was also unable to run RootRepeal. It would run and find files, but then hang up at the same place, repeatably, a folder in windows\temp. CCleaner was not removing this file from the temp. When I tried using Safe mode with prompt, I could not access the folder that was hanging up RootRepeal. Dos gave a recursive file error.

    I was able to run MGtools and create logs, though one log had 0 bytes even after trying to use the suggested fix (under error 1).

    The cpu is still infected, as it was not running this way 5 days ago, and I am looking for help to clean the remaining malware off the cpu.

    Logs are attached.

    Thank you for the comprehensive diy malware removal procedure, I hope to be fully clean and better informed for the future with your help.
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware on your system. Did you disable your AV software before you tried to run ComboFix?

    When you say your hard drive is making a "marching" sound, could you be a little more specific? Is it clicking? That would be an indication that your hard drive is dying.
     
  3. FRT

    FRT Private E-2

    TimW-

    Thank you for looking at my logs. That is good news the malware is gone.

    To answer your question, I did turn off my Symantec AV and the Windows firewall before running.

    I decided to try ComboFix again, this time in normal boot instead of to safe mode. It worked without a problem. Log is attached.

    Since ComboFix worked, I tried RootRepeal as well, which worked better, though it gave disk checking errors and suggested chkdsk. The log is also attached.

    The noises from the hard drive I am describing are from searching and seeking, and not the clicking I would expect from a dying drive; though I did run drive diagnostics and came up with errors, so there is some type of hardware issue unless it is a false positive. I am going to run chkdsk and make sure I have backed-up copies of any new files daily until resolved.

    If you would not mind reviewing my logs from ComboFix and RootRepeal to make sure malware is completely cleared out, I would appreciate it.

    Thank you for all your help.
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are fine. There is no malware in either RootRepeal or Combo.

    I do suggest you run chkdsk and look for errors. A failing hard drive will sometimes act like malware.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
  5. FRT

    FRT Private E-2

    Dear TimW-

    Thank you for all of your help. Good to hear everything is clean.

    Sorry it took some time to get back, but chkdsk /r ran for about 18 hours and found all sorts of issues that needed repair. Everything seems to be working well now, and the drive is not making odd noises any longer.

    I went through all of the final steps you listed without any problems.

    I do have a final question for you, and that is related to step 10 point 5:

    I currently am running Symantec AV and would like to continue with this. Could you recommend which of the free real-time blocking tools (there was a list given) would work in conjuction with Symantec AV, since I noticed that there may be conflicts between some of these and AV programs?

    Again, thank you for your assistance, the Malware forum has been excellent, and I am leaving much more informed than I was a few days ago.:)
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I would suggest SpywareBlaster, as long as you check for updates periodically. Of course, you should also keep SAS and MBAM for backup scanning when you feel something is amiss.

    You are most welcome. Safe surfing!! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds