Exhausted my expertise!

Hi,

First let me say I have been through, 'basic computer maintenance everyone should do', I have previously followed 'how to protect yourself from malware' and have spent the day following 'READ & RUN ME FIRST Malware Removal Guide'.

Secondly I will admit that this might not be the right forum as I have read that slow computers are rarely a result of malware, but I can't find another explanation for it.

I have tried to work out if any programs on the computer are deconflicting with each other but I have had no luck.

Please find relevant logs attached to see if it is something else.

Thanks

Doc

 

The other logs.

Thank you.

Doc

 

Hi Docmarten!
Welcome to Major Geeks!
Please go back and rerun Counterspy, only this time have it fix what it finds.
abri

 

Hey Abri,

Sorry but I cannot work out how to get Counter Spy to fix what it finds, sorry for being so dumb!

Doc

 

sorry doc!
I lost you there!

In some of the scans it's at the beginning before the scan starts. You may have to scroll or look for a button to check. With Counterspy, I believe it's at the end after it finds stuff. There should be a button that says to quarantine all items that were found.
I hope this helps.
abri

 

Abri,

Thanks I will run counter spy and look again but I don't remember anything at the end either. If I cannot find anything I intend to attach an AVI report, will that be ok?

Doc

 

Yes, but I hope you'll find that option, even if it's hiding behind a scroll bar, because it actually found a lot it could fix for us and it would be helpful.

abri

 

Abri,

Ok I will perserver with Counter Spy, however the scan has been running about 45 mins now and only scanned 15000 files!

Doc

 

It does sound slow. Did it take that long the first time? For your entertainment, while you're waiting for it to finish, you can open up the counterspy log by double-clicking on it here or by opening it in your computer and look at what it found. I'm guessing you will want to quarantine most of it if at all possible. LOL It's just a guess though and it will give you a chance to see if you do want it quarantined or not.

abri

 

Arbi,

Just finished Counter Spy scan 136mins!!!

I have just realised that I haven't done all the other logs so will start again from the begining and get back to you with all new logs posted. I just hope it doesn't take that long again.

Doc

 

Your other logs are fine. I only want to see the new counterspy! Don't do all that work over again!!
abri

 

Abri,

Ok understand. I have run the counter spy in safe mode but although it ran through the scan in normal time it doesn't let me delete all that it finds. I am now running it in normal mode and it is very slow 30000 files in 1hr +. Once complete and it has fixed all that it finds I will post the log.

I expect you will have given up waiting by then but I will post as soon as it is finished.

Doc

 

Abri,

at last here is the Counter Spy log, thanks for taking the time.

Doc

 

abri,

just looked at my logs!!! Interesting uh? Thats some dodgy stuff!!

Doc

 

Yes, that's why I wanted you to go ahead and do it again, even though I knew it was going to take a lot of time. Counterspy gets rid of stuff others don't and it's helpful.

1) Now that Counterspy has done its work, we're finished with it. Please look in Add/Remove Programs and uninstall it. It will be listed as Sunbelt Counterspy. If you get any errors just make a note and proceed.


2) BitDefender took out several bad items for you. You have one file (the imvalid file below) which is a remnant of MicroBilling, but I don't see any other evidence of it on your system. Please go to Windows Explorer and delete the following file:

Then delete the below folders which may be left behind by the uninstall of Counterspy:

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

4) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) After you have completed ALL of the above in the correct order, please attach the following logs. Also, please tell me if you notice any difference in the way your computer is working.

• ShowNew Log
• GetRunKey Log
• HijackThis Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

abri,

Logs attached. No noticable difference with the computer, still running very slowly, and no problems encountered whilst carrying out your instructions.

:confusedDoc

 

Hi docmarten!
Your computer has two infected restore points and two infected active x's. Counterspy took out a lot. I'd like for you to run Combofix, which includes a rootkit scan and sometimes will show something which is hidden by other scans we have. You may as well run the scan from Sophos as well.

There are many reasons for a slow machine, so after you do the instructions below and then follow our final cleanup procedures which I will post after looking at the next two logs, I would like to ask you to visit either the software and/or the hardware forum and ask them to help you check several things. For one, it's possible that you have some bad sectors on your hard drive. There is software that can reroute your data around those so they don't cause you problems. Also, slowness can be due to RAM and this can also be checked. If half your RAM isn't functioning, you'll notice it and there are ways to check this as well. In terms of conflicting programs, I don't momentarily see any obvious problems. You do have a whole set of programs that go together which include mLogView and mMHouse among others. These, along with several others, appear in your uninstalls list at the bottom of the newfiles.txt log. Try to find out what those are for and if you need them.

Here are the two scans for you to do. I don't see anything to indicate a hidden infection, but it won't hurt to check.

Attach logs for:
- Combofix
- Sarscan (Sophos)

 

Oh, one other thing to add to my last post. ATF didn't delete your temporary files which it should have deleted. Did you change any of the settings to prevent that? If not, please try and delete them manually via Windows Explorer from this directory: Those with today's date probably won't delete.

 

abri,

I didn't change any setting on ATF but have now deleted all temp files.

Logs as requested attached.

Thanks

Doc

 

Hi docmarten!

There was one file in the Sophos rootkit scan that we couldn't identify and so we will have you remove it. It's possible that you removed it yourself, because you ran ATF after you ran the Sophos scan and ATF removes your temporary files. This one is in your temporary files. Nevertheless, it could still be there, so I'll have you run Avenger to make sure. Please do the following:


1) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) If Avenger found and deleted the above file, please run ATF Cleaner
NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) After you have completed the above in the correct order, please attach the following logs.

• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

abri

 

Abri,

Done as requested, got error messages as below:

Error: selected file does not appear to be valid scrip.

Error code: 0

as no file was found I did not run ATF.

Doc

 

Hi docmarten!
Sometimes Avenger will run after reboot. And sometimes it is prevented from running by an antivirus program. Please try it after reboot and if that doesn't work, please shut down your computer, turn off your antivirus and see if you can run it that way. If it does not give you the error message again, please enter the file as per my previous instructions. If Avenger doesn't run again, please turn your computer back on and do the following. (If the file is there, it should be found. If it can't be found, it probably already got deleted when you ran ATF.)

If either of the above - Avenger or the Command Prompt - finds and deletes that file, please run ATF cleaner as per the instructions in my previous post. If nothing gets deleted then there's no need to run it again. Let me know how it goes.

abri

 

abri,

Have done it now and have to admit it was my fault (I didn't cut and paste all that was in the box).

Log attached.

It is looking as if I am going to have to talk to the soft and hard ware men.

Doc

 

Hi docmarten,

I noticed that your AVG antivirus isn't showing up in your uninstalls list and I don't know why. It appears to be running when I look at HijackThis. Please check add/remove programs to find out if it's in add/remove programs or not. It might be under AVG and it might be under Grifsoft. Your AVG Antispyware IS showing up. Just not the antivirus.

There can be a number of reasons why your computer is running slowly. I will have you run one other rootkit scan and if it doesn't find anything harmful, I'll ask you to continue on with our final cleanup tools.

As for the slowness of your computer, if it happened suddenly and we can't find any signs of malware, I would be looking for newly installed programs or windows updates that didn't sit well with the computer, or at bad sectors on the hard drive or at problems with the RAM or inadequate RAM to accomodate bulkier new software. The easiest way around installations that caused problems is to back up to an earlier restore point. That option will be gone if you remove all your previous restore points and put in a clean one as we recommend in our final instructions.

Now please run the instructions in the box and post the results back to me.

If BlackLight does not find anything, I would like for you to continue with the next instructions. If you are not sure about the Blacklight results, please just post them to us and let us see them before you go on.

To do the following, I need information from you about your computer. Please look at your restore points under Start / Accessories / System Tools / System Restore. Please tell me if you have two options or three options at this point? Do you have the three choices to 1) Go back to an earlier restore point, 2) create a new restore point or 3) undo a recently changed restore point? If you have only two of these options, please stop and go back out without doing anything and tell me.

If you have all three of these options, then click on Go back to an earlier restore point and after clicking next, look at the calendar. Look how far back the bold printed dates go. (They will be intermittent.) Choose one you KNOW to be before the date when your computer got slow and click on that and follow the directions. If the speed of your computer remains the same, please go through the same sequence, Start / Accessories / System Programs / System Restore - only this time choose to undo your last system restore and follow the directions.

If you've never used this tool, it's a slightly slow process which will reboot your computer automatically and give you a message.

Going back to an earlier restore point will undo all that we've done including the work the scans did for you, meaning you would have to redo the scans. However, if you are able to get your speed back in this way, it would be worth the trouble of redoing the scans. Also, the information you'd gain by trying this is that it would tell you whether your problem is software or hardware-related. If it works, it would mean the problem is software-related. If it does not work, it means the problem could be hardware-related but doesn't have to be.

abri

 

Hi Abri,

Checked for AVG antivirus and found it in the uninstall list, don't know what happened there.

BlackLight didn't find anything and I am afraid I only have two options in my system restore.

I am having snags uploading the fsbl log but as it didn't find anything do you still need it?

Doc

 

No. It's enough if you tell me.

I think we've done everything we can to make sure your computer is malware free. Please go ahead and follow the instructions in the box including setting a new restore point as per the instructions in the link below. The information I gave you regarding slow computers should help you get started in looking for the cause in other areas. I know Symantec makes a tool called Disk Doctor that's part of Norton System Works, that will allow you to look for bad sectors on your hard disk, but I think there must be some free tools that will accomplish that as well. I'm more prone to think this is a software problem in your case although you should ask about RAM. If anyone advises you to use a registry cleaner, do so carefully. Look at what you're going to fix, don't just hit the button that says to fix everything.

abri

 

Abri,

Thank you for all your time and effort. I am sure I will get to the bottom of this eventually and therefore it is time for me to badger another voluntary expert.

Doc