Still not working well, please review logs...

Discussion in 'Malware Help (A Specialist Will Reply)' started by teenyhomestead, Mar 14, 2013.

  1. teenyhomestead

    teenyhomestead Private E-2

    I have several sites I work with on a daily basis for our farm, among them facebook and weebly. While working as I always do, a week and a half ago, my computer began behaving badly. Can't remember exactly what it was doing, as I have been hit with viruses and trojans a couple of times over the past decade and have always been able to take care of it.

    CPU usage was sky high, explorer.exe running high, sometimes over 200,000,

    At one point I turned on my computer and just got flashing screens and buzzers! Immediately turned it off and rebooted in safe mode, did a bunch of stuff and can't even tell you what I was in such a panic. Whatever I did I got it restarted.

    At that point it appeared everything was gone; photos, docs, favorites, bookmarks, etc. Figured out that they were all hidden, but still seems that I must click on each individual file to unhide, can't get them all to reappear without going to every single file. Could not load weebly.com to work on my website, even after I ran all my spyware programs. CPU usage over 50%, explorer.exe over 200,000, windows explorer stopped working and restarting, internet explorer stopped working and restarting, etc. Every time I restarted my computer something else happened.

    With no windows open, internet commercials would start playing randomly, no video just audio.

    Ran Spybot, and it found the same 10-12 entries every time I ran it, despite checking them all for removal. Ad-Aware found several cookies, and I got rid of those. Used Windows Defender and it always said nothing was wrong. Computer kept getting worse, to the point that it would not turn on in regular mode. Started in safe mode, ran again, spybot still found many items and at this point none of my other virus detectors were finding anything, but computer still misbehaving. I uninstalled Spybot since it was the only program finding things, reinstalled it and it still found 12 things. I added each one to the list of restricted websites and came here.

    When I ran crapcleaner, it found more to remove every time I ran it. Usually I run it twice just to be sure, and the second time it will say nothing to remove. This time, every single time there was more to remove.

    I ran everything listed in the Windows7 Malware removal directions. TDSSKiller would not run. After MGtools was done (I had nothing else open at the time), a window popped up that said;
    Windows Internet Explorer
    Are you sure you want to leave this page?
    Message from webpage: false
    Leave/Stay

    I clicked nothing, and rebooted.

    The files that I have not unhidden are still hidden, IE and Firefox take a very long time to load, my fan is running and running, in task manager I now have 69 processes running, firefox over 155,000 and of the now 12 svhost.exe one is over 100,000 and another over 30,000. When I turn off my computer, there is something running in the background that I cannot see, always have to force close.

    I am at my wits end with this stupid process. Suggestions????? I hope I did everything correctly, I know just enough to screw something up. :)
     

    Attached Files:

    teenyhomestead, Mar 14, 2013
    #1
  2. teenyhomestead

    teenyhomestead Private E-2

    List of what Spybot kept finding:

    BurstMedia
    CasaleMedia
    DoubleClick
    FastClick
    MediaPlex
    RightMedia
    Zedo

    Usually running Spybot to remove one of these entries in the past, I would run the thing, remove whatever, then run again and the issue would be resolved. This time, no matter how many times I ran Spybot or whether in safe mode or not, Spybot was either not getting rid of them or whatever evil is residing in my computer would immediately put them back.
     
    teenyhomestead, Mar 14, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I do not see any protection software installed? Although I see signs of Microsoft Security Essentials running. But it does not seem to be installed properly since it does not show up in installed programs lists.

    Since I do not see Ad-Aware, McAfee, and some other items still installed but there are files and folders from them in your logs, we will cleanup the leftovers which can cause performance issues. If you do still have Ad-Aware Antivirus install, then uninstall it before continuing with the below because we will break it when fixes below are run and it needs to be cleaned up because it is not properly installed/running based on your logs.

    It was a very bad idea to run CCleaner ( has not been called CrapCleaner for many years ) with these problems as when infections cause files to be hidden, they sometimes also move many your files into temp folders and running a disk cleaner would then cause them to be deleted. Do not run it anymore until we know your real status.

    These are quite ineffective toys these days especially Ad-Aware. Also note that cookies are not problems. Give me a log from Spybot so I can see what it is reporting. Many times they are just left over registry keys or may be false detections. Also it many cases, they are simple to fix and Spybot should be able to remove them but it just cannot because it does not work too well. Sorry but that's just a plain fact. If a simple registry patch can fix the problem then Spybot should be able to do so too.

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?

    Also note that Grinler ( the creator of unhide.exe ) has the below link which gives info on restoring some system defaults when the unhide program
    cannot find backups. Scroll down in the link:

    http://www.bleepingcomputer.com/forums/topic405109.html

    Please try booting in safe boot mode and see if it will run. However boot back to normal mode to continue with the below

    Now please uninstall Swag Bucks Toolbar


    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
:Files
C:\Users\Teeny\AppData\Roaming\Microsoft\Windows\Templates\bom04yh71cc8uvheryab533713j4ljh515k12xlxec7              
C:\ProgramData\-oKJlROuTVCyA
C:\ProgramData\-oKJlROuTVCyAr
C:\ProgramData\Ad-Aware Antivirus
C:\ProgramData\McAfee
C:\ProgramData\oKJlROuTVCyA
C:\ProgramData\Search Protection
C:\Program Files (x86)\Ad-Aware Antivirus
C:\Windows\SysNative\drivers\gfiark.sys
C:\Windows\SysNative\drivers\gfibto.sys
C:\Users\Teeny\AppData\Local\Temp\adaware-toolbar.xml
C:\Users\Teeny\AppData\Local\Temp\adawaretb_Uninstall_Log.txt
C:\Windows\tasks\Ad-Aware Antivirus Scheduled Scan.job
C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Program Files (x86)\Swag_Bucks
 
:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SearchProtection"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"SearchProtection"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{45454FC8-6621-458A-A2DF-196F76BB18B0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{45454FC8-6621-458A-A2DF-196F76BB18B0}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the JRT.txt log
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 16, 2013
    #3
  4. teenyhomestead

    teenyhomestead Private E-2


    Thank you very much for your assistance, as you can tell I am rather a dullard when it comes to machines.

    The unhide program did recover all of my photos and documents, thank you SO much!

    Should I just get rid of Spybot?

    What is the best program for protection? I do have Windows Defender now as well as Microsoft Security Essentials, do I need other programs as well?

    So far so good, as far as how my computer is running now. I have given credit to you on my websites. Thank you again for your help, and any additional information you provide. I know you must be busy.
     

    Attached Files:

    teenyhomestead, Mar 17, 2013
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. The only items in your Spybot log were cookies which will always be present unless you never surf. Cookies are not problems as you will see in my final instructions below.

    There is no one straight forward answer. Some programs are better than others one day, and then the next day after an update, it could change. Microsoft Security Essentials is free and is okay, but it is not near as good as other programs like Avira, Avast, and Comodo. But these other programs will come with some addition baggage ( like Ask Toolbar ). Free software these days is being supported by adding in toolbars and other addons. In some cases, you can opt out of these addons and in others you cannot. Ad-Aware puts Blekko Toolbar on your PC and many people really hate this one and treat it like malware. Ad-aware stopped being on my recommended list of tools many many years ago now. They just became ineffective and nothing but a cookie finder/remover which is a waste of time even scanning for. You can easily remove cookies via your browser.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Mar 17, 2013
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds