EV19 folder issues?

Discussion in 'Malware Help (A Specialist Will Reply)' started by epoclaen, Dec 28, 2008.

  1. epoclaen

    epoclaen Private E-2

    I've followed the READ AND RUN ME FIRST instructions.

    Bear in mind that doing so took nearly 2 days of constant attention to my computer and work due to the fact that opening even something as simple as a single folder was delayed by up to 10 minutes thanks to the sluggishness caused by whatever is infecting my system.

    I first started having problems around the 19th of december when I caught a pop-up window with the famous "AntiVirusXP 2009" warning, which I promptly closed. Since then, AVG caught a suspicious file in the C:\Windows\EV19 folder which I told it to quarantine. Since then my system has become so unbearably slow that doing anything at all on it is nearly impossible without an incredible amount of patience.

    Here are the logs from the scans that were required from Mbam, ComboFix and SaS with MGtools to follow.
     

    Attached Files:

    epoclaen, Dec 28, 2008
    #1
  2. epoclaen

    epoclaen Private E-2

    The MGtools logs.
     

    Attached Files:

    epoclaen, Dec 28, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to run the below System File Check, but since you are using an illegal copy of Windows XP you probably do not have a CD to insert if it asks for it. You need to get a legal copy of Windows.

    Your Desktop is a mess. You need to clean it up immediately leaving only links. Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware, and last but not least it can have an effect on your PCs performance.

    Do you know what the below startup process is?
    O4 - Startup: SGETASK.EXE

    Also what is the below?
    O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup

    Do you know what the below files are for?
    Code:
    2007-02-28 02:13 30,601 ----a-w c:\documents and settings\User\x.exe
2006-03-23 21:32 73,728 ----a-w c:\documents and settings\User\SetupNI.dll
2006-03-21 03:00 7 ----a-w c:\documents and settings\User\Application Data\bin.dll
2006-01-04 01:08 32 ----a-w c:\documents and settings\User\Application Data\pexmodes.dat
    Did you have Spybot's Teatimer running before coming here? We did specify in the READ & RUN ME not to use it. You must disable Spybot's Teatimer before doing the below since it will get in the way. See this: How to disable Spybot's TeaTimer


    Delete the below folder and file.
    Code:
    "C:\"
44D32A~1      Nov  6 2008              "44d32a99ec178b22225470bd58"
gse.~xt       Dec 19 2008         171  "Gse.~xt"

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now goto this link Using MGtools and download the new version of MGtools.exe using the black bold print link in the first sentence.


    Run MGtools.exe then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 31, 2008
    #3
  4. epoclaen

    epoclaen Private E-2

    I have a legal copy of Windows XP Pro w/SP2 and have run sfc. I did not see any indication that anything was replaced or anything though.


    Yeah, I'm real bad about that! I've cleaned it all up other than KillBox.

    Yes, this is the Simutronics Game Engine taskbar quicklaunch item.

    This is a file search program used instead of the Windows Explorer "search" option.

    Do you know what the below files are for?
    I believe it's part of an old VisualRoute installation.
    Yes, this is used by CrazyTalk although I doubt I'll ever be using or needing it.
    Unsure, but it only contains the text "3218.61".
    Unsure, but it only contains the text "FFF4D365FFF4D365FFFEFF9D0F625651".

    It was originally running, yes. I verified that it has been turned off as per the READ & RUN ME instructions but found I had forgotten to clear all checkboxes in the IE Tweaks section.


    Both are deleted but the "Gse.~xt" file was related to a known application and held port and IP addressing info. Hopefully it won't muck things up.

    Done.

    Got the success message.

    Done

    Done.

    Still seems to have system "stalling" issues particularly with running more than one task at once.

    Two things to note. One, I did not reboot at all since I did not see any instructions indicating I should do so. Did I miss that somewhere?

    Two, I noticed in the Event Viewer that there are a number of entries about disk errors in the System section.
    Source: Disk
    Event ID: 51
    An error was detected on device \Device\Harddisk0\D during a paging operation.
    Source: JRAID
    Event ID: 9
    The device, \Device\Scsi\JRAID1, did not respond within the timeout period.

    Any chance of an imminent harddrive failure?

    Thanks for the help.
     

    Attached Files:

    Last edited: Jan 1, 2009
    epoclaen, Jan 1, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That may be but the copy running on this PC is not legal. You are using the antiwpa.dll file shown in your Malwarebytes log and labeled as the I.stole.windows trojan.

    It does not belong here either. It is really not something you should be needing all the time anyway.


    Anything you don't use/don't need should always be uninstalled.

    Don't know. This looks like a typical malware file name which is why I said to delete it. Looks like someone corrupted a file name that should have had a .txt extension to have a .~xt extension.


     
    chaslang, Jan 4, 2009
    #5
  6. epoclaen

    epoclaen Private E-2

    [SOLVED] Re: EV19 folder issues?

    I can't be 100% sure whether the procedures that were followed here are what solved the problem or if it was a hardware issue but the occasional stalling is fixed after following the initial instructions and after blowing any dust out of the hardware and simply re-seating the hard drive cables. I suspect that the cable plugs were to blame although why they decided to hiccup just then I don't know.

    Many thanks to chaslang for the careful and personalized attention and informative instructions while checking for software issues.
     
    epoclaen, Jan 5, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: [SOLVED] Re: EV19 folder issues?

    You're welcome. Make sure you follow my final instructions and surf safely!
     
    chaslang, Jan 10, 2009
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds