System still running slow

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by SweetLD215, Aug 22, 2014.

  1. SweetLD215

    SweetLD215 Private E-2

    Hi there!

    I was helping a friend with her computer as it was running slow. Prior to doing anything, it was going so slow that I wasn't sure anything worked on it. I couldn't get IE to open at all. I went through the read and run me first post, and that did help. IE does open now, but the PC is still pretty slow, and it does freeze and close itself, at times. Also, I'm getting pop ups - like jucheck and pc vault, but I can't seem to remove either one.

    I did have trouble with MGtools and got some kind of error about HiJackThis. I had the error typed up, but when IE froze and closed, I lost the verbiage. It said something about going to start, run, and deleting some HiJackThis files, I think. It looks like it did run though so hopefully it worked properly. Please let me know if I can provide any additional information.


    Computer:
    HP 610-1130f
    Windows 7 Home Premium
    Intel Core i3-2100 CPU @ 3.10GHz
    4.00GB installed memory (RAM)
    64 bit operating system


    Any help you can offer would be greatly appreciated. Thank you so much!
     

    Attached Files:

    SweetLD215, Aug 22, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman Pro and have it remove all that it finds.
    Now, MGTools.exe did not run correctly, so please try again, this time ensuring that protection software is dosabled, that UAC is indeed disabled and that you are running it as admin! :)

    Attach the new MGlogs.zip when done.
     
    Kestrel13!, Aug 22, 2014
    #2
  3. SweetLD215

    SweetLD215 Private E-2

    Hi there!

    I tried to run MGtools again, and get a new error now: SteelWerX WhoAmI application stopped working (so I hit close program as it's the only option. It seems to continue to run, though.

    I made sure UAC is disabled and disabled the antivirus and firewall too.

    Hopefully it ran correctly this time. I've attached the log file for MGlog and a new HitmanPro in case that's needed :)

    I am still having problems with IE freezing and closing. It seems to mostly do this when I try to put attachments in the post (it took me four tries).
     

    Attached Files:

    SweetLD215, Aug 22, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    RebateInformer <--- Uninstall this


    [​IMG] Fix item using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate this detection:

    • [ZeroAccess][Folder] Install -- C:\Users\f.sandoval\AppData\Local\Google\Desktop\Install -> FOUND

    Place a checkmark next to this item, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :files
C:\ProgramData\75825f3c82d81940
C:\ProgramData\RoyAlCoupon
C:\ProgramData\RoyalShoiPperApp
C:\ProgramData\RoyAlShoppeRAppp
C:\ProgramData\SaverPro
C:\Program Files (x86)\RebateInformer
C:\Program Files (x86)\RoyAlCoupon
C:\Program Files (x86)\RoyalShoiPperAp
C:\Program Files (x86)\TidyNetwork
c:\progra~2\search~1\search~1\bin\spvc32~2.dll
C:\Users\f.sandoval\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{246A4609-373D-493A-BD60-3E78F907A677}.ico

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{09971cee-01b8-42bc-9d91-456b1faad6be}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{09971cee-01b8-42bc-9d91-456b1faad6be}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{246A4609-373D-493A-BD60-3E78F907A677}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    • Re run RogueKiller (just a scan) and attach log.
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Aug 22, 2014
    #4
  5. SweetLD215

    SweetLD215 Private E-2

    I tried to uninstall RebateInformer, but it just says:
    File "C:\Program Files (x86)\RebateInformer\unins000.dat" does not exist. Cannot uninstall.

    I ran RougeKiller but I couldn't find
    [ZeroAccess][Folder] Install -- C:\Users\f.sandoval\AppData\Local\Google\Desktop\Install -> FOUND
    But I've attached the log in case I've somehow missed it. I don't see it on the Registry tab, though.

    OTM did have me reboot once it was done, but I attached the log file (per the instructions).

    IE is still having issues, but it seems like this is (thus far) only when I try to attach the requested files. I haven't really been using the computer for things other than running the programs you mentioned and being on the forum so I'm not sure if it would be a problem in other instances. I even tried attaching one at a time (browse/load/close window - and then IE freezes and closes) but that didn't work either.

    I can't seem to get all the logs attached without killing IE. It seems to let me load up to maybe 3, right now, before it crashes. I've copied and pasted the RK logs. I hope that's ok.


    ---------------------

    RKreport_SCN_08222014_153452

    RogueKiller V9.2.8.0 (x64) [Jul 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : f.sandoval [Admin rights]
    Mode : Scan -- Date : 08/22/2014 15:34:52

    ¤¤¤ Bad processes : 1 ¤¤¤
    [Suspicious.Path] (SVC) Agent -- C:\Windows\VPDAgent_x64.exe[-] -> STOPPED

    ¤¤¤ Registry Entries : 19 ¤¤¤
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Agent -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Agent -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Agent -> FOUND
    [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/ -> FOUND
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/ -> FOUND
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Internet Explorer\Main | Search Page : -> FOUND
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Internet Explorer\Main | Search Page : -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST3750528AS +++++
    --- User ---
    [MBR] 0d8d06108be1d0b0b97af1433bd0c75f
    [BSP] c4f8903abf43d2058095b2419aa69ec7 : Unknown MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 695485 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1424560128 | Size: 19817 MB
    User = LL1 ... OK
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] eda32558bf3e3791d7f039a74fa51a0d
    [BSP] c6a9058f7f70a303c7c9792b55051f81 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 226125824 | Size: 300 MB

    +++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_SCN_08192014_221712.log - RKreport_SCN_08212014_202503.log - RKreport_SCN_08222014_143143.log - RKreport_DEL_08222014_152139.log



    ---------------------------------------------
    RKreport_SCN_08222014_181834

    RogueKiller V9.2.8.0 (x64) [Jul 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : f.sandoval [Admin rights]
    Mode : Scan -- Date : 08/22/2014 18:18:34

    ¤¤¤ Bad processes : 1 ¤¤¤
    [Suspicious.Path] (SVC) Agent -- C:\Windows\VPDAgent_x64.exe[-] -> STOPPED

    ¤¤¤ Registry Entries : 19 ¤¤¤
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Agent -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Agent -> FOUND
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Agent -> FOUND
    [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/ -> FOUND
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/ -> FOUND
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Internet Explorer\Main | Search Page : -> FOUND
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-457032410-3951130692-2943882998-1001\Software\Microsoft\Internet Explorer\Main | Search Page : -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST3750528AS +++++
    --- User ---
    [MBR] 0d8d06108be1d0b0b97af1433bd0c75f
    [BSP] c4f8903abf43d2058095b2419aa69ec7 : Unknown MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 695485 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1424560128 | Size: 19817 MB
    User = LL1 ... OK
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] eda32558bf3e3791d7f039a74fa51a0d
    [BSP] c6a9058f7f70a303c7c9792b55051f81 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 226125824 | Size: 300 MB

    +++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_DEL_08222014_152139.log - RKreport_SCN_08192014_221712.log - RKreport_SCN_08212014_202503.log - RKreport_SCN_08222014_143143.log
    RKreport_SCN_08222014_153452.log

    ----------------------------------------------------
     

    Attached Files:

    SweetLD215, Aug 22, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Rebate Informer is no longer installed according to the latest logs and also RogueKiller no longer shows traces of a zero access rootkit. So how are things running? Any more malware problems? :)
     
    Kestrel13!, Aug 23, 2014
    #6
  7. SweetLD215

    SweetLD215 Private E-2

    Awesome! I'm not 100% sure if there's more malware problems - just the odd thing with attachments in IE. I could always uninstall and reinstall it in case that would somehow help.

    It looks like all the pop ups are gone which is awesome!! :) Everything seems to be running better. Thank you so much for all your help!
     
    SweetLD215, Aug 23, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent! :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Aug 24, 2014
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds