Slow desktop/IE-sent here from software

A couple months ago I followed the procedures to remove a Virtumonde and it worked perfectly. However, after doing that my destop and Internet Explorer were still slow. The individual helping me said it was a software issue and to start a thread in there. I did this the other day and they think I still have a malware problem and to start a thread in this section to be sure I am completely clean b4 dealing with the slow desktop/IE.

I have already ran all of the read/run me first with exception to MGTools and MSConfig. All of the scans so far are clean. However, I have noticed my Sophos picking up a Troj Downloader?? the last few times I have been on my computer. It has deleted it everytime. I will patiently await your directions/assistance. Thank you!

 

You need to run all of the steps in the READ ME again if it's been more than a few days since you ran them as things can change on every reboot.

Either way, we need all of the logs requested from the READ ME. As a reference I will post our initial instructions.

 

Thank you. I will do that and post when finished.

 

Okay!

 

Here are my logs! Something to note, when running combo fix, my Sophos picked up a virus/spiware EICAR-AV-Test "C:/DOCUME~1/Ryan/LOCALS~1/Temp/AV-test.txt".

Things are still running slower with desktop, more noticeably with IE. Thanks again for your assistance.

 

And the last one...

 

I apologize for the delay, I have been sick and am just now getting better.

Since it has been so long, please attach fresh logs from MBAM, SAS and MGTools.

 

No problem, I understand completely. Here are my updated logs. Thanks.

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I am not sure how to close/disable my Sophos antivirus? Have tried it in the past during cleanup procedure, howevor, do not know how to. Thanks.

 

Okay! Just proceed, skip that step.

 

I ran the combofix with the CFscript like you said and it never did anything. I let it sit for like 10 hours even and the blue screen never changed. I tried running it again 2 more times with the same result. Now my IE wont connect so what should I do? ****Note: I did get a Sophos warning each time I ran it and I rebooted once by pressing the button and holding as the computer froze during shutdown. Hope I haven't messed anything up!

 

It sounds as if your AV is causing the problem, we need to disable it. Right click on the system tray icon and exit if you can. If not, we may need to temporarily uninstall to get your system clean.

Once disabled/uninstalled run the process again.

 

There is no way to disable it in the system tray so how do I temporarily uninstall it?

 

Just go into Add/Remove and uninstall from here.

Before you do this, do you have the installation source to reinstall once we're done?

 

Unfortunately no, but I suppose I could just download AVG when we are done. Once I get home I will uninstall and then procede with everything. Thanks.

 

Okay! It's up to you but it seems this is blocking the fix. Just let me know.

 

Well, I uninstalled Sophos and ran the CFscript in Combofix and I did not recieve any prompts or warnings that Sophos was still running, however, it still did not work, as in it froze up on the blue screen that says "this should only take 10 minutes but on badly infected computers the time may double". I let it sit there without mouse clicking for like 2 1/2 hours. Are the lines in the CFscript correct? I will try it once more, starting new with a download of Combofix and then re-running the script. Sorry this is being such a bugger for you, I appreciate your help. Thanks.

 

Ok, this is funny. I tried it again and it worked this time?! The CFscript.txt file is still on my desktop so I hope it ran it and not just the Combofix?! I will await your next instructions, thanks again!

 

Please, download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop up for you to view when you login after reboot. Please attach this log to your next post.

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\Avenger.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Ran both applications and after restarting I recieved a proccess error message, similiar to the type of message I used to recieve back when I had a virtumonde virus. Otherwise things seem to be about the same.

 

Those logs look good however I would like you to uninstall your current versions of MBAM and SAS. Download the updated versions below, install, update and run new scans with both. Once you have completed the scans, attach the new logs to your next post.

Also, please attach one last ComboFix log so we can confirm everything is clean.

Malwarebytes Anti-Malware 1.32

SUPERAntiSpyware 4.24.0.1004

 

Here are the logs you requested. Should I install AVG now? Thanks.

 

Your latest set of logs are clean, please download a fresh copy of MGTools from the READ ME and run this once more. Once complete, attach the new file so we can confirm those logs are clean as well.

 

Here is my latest log. So does this mean I am clear for someone in software to look at it? Thanks again

 

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop up for you to view when you login after reboot. Please attach this log to your next post.

Once you complete the above, let me know how things are running and if any problems remain.

 

Here is the Avenger file. Upon rebooting I received an error message "Windows No Disk": Exception Processing Message C0000013 Parameters 75b6b7c4 75c6cf7c 75b6bf7c. Other than that, things seem allright for the moment. Thanks for your time.

 

Run C:\MGtools\GetLogs.bat by double clicking on it and attach a new set of logs.

Also, please run ComboFix once more and attach a fresh log.

 

Things are running fairly well. Although I have been getting a lot of error messages when opening pages up on IE. When can I install AVG? or Do you have a better suggestion for anti-virus that is free? or Any suggestions on which one I should buy if that is what I decide to do? Thanks.

 

See the thread below and attach a log.

Running GMER to detect rootkits

 

Here you go!

 

Next, we need to run Avenger again, just like you did before.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop up for you to view when you login after reboot. Please attach this log to your next post.

Once you complete the above, attach the log to your next post and also please download the updated version of ComboFix below. Be sure you save it to your desktop, run it and attach the log to your next reply.

ComboFix

 

I recieved the same No Disk error message after reboot from Avenger scan. Thanks again for your time.

 

First, let's confirm this file is what I think it is.

Go to the site below and upload the following file.

http://virusscan.jotti.org

Once the scan is complete, please post the results to your next post.

 

This is what it said when I submitted the file:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

 

Download this fresh copy of ComboFix below and attach a new log.

ComboFix

 

New Combofix log.

 

Let's run ComboFix once more.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.
Once you have completed the above, attach the new log from ComboFix.

 

Followed the instructions and it stalled on me twice.

 

Next, we need to run Avenger again, just like you did before.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop up for you to view when you login after reboot. Please attach this log to your next post.

 

Ran Avenger and had same no disk error on restart. Accidentally hit Combofix icon so I will attach that log as well. I hope that didn't mess anything up for you!

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thank you!

 

You're Welcome!

Surf Safely!:major