Great Read First Instuctions, still having issues...

Hello, First let me compliment admin of majorgeeks.com you guys are doing a great job - what a wealth of information! I have done my best to follow steps 0-6b in the READ ME FIRST post under Malware removal. Please find here attached my logs.

 

other logs requested.

 

I realize that I forgot to mention my symptoms... the CPU usages is always at like 100% and my computer is UBER slow. I did basic maintenance as suggested for slow computers, then I followed instructions for malware removal. Each scan suggested that my computer is definitely infected. Thanks again.

 

Hi jenf!
Welcome to Major Geeks!
1) Please look in Add/Remove Programs for the following and uninstall them if found..

2) Then delete the below folders which may be left behind by the uninstall:

C:\Documents and Settings\All Users.WINDOWS\Application Data\Sunbelt Software
C:\Documents and Settings\Jen\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

3) Now REBOOT your computer!

4) After you've rebooted, please install Java Runtime Environment vs. 6.2

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

I am looking at your logs. This takes some time, so it could be tomorrow before I get back to you. If you have any questions about the above procedures, just ask.

abri

 

Thank you Abri! I did all steps you outlined including uninstalling Windows Messenger. Please let me know your analysis of the logs when you have a chance. Kind regards, JenF

 

Hi jenf!

Please do the following:

1) Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box (including the words Folders to delete) below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


4) After you have completed ALL of the above in the correct order, please attach the following logs.

• Avenger Log
• ShowNew Log
• HijackThis Log

Let me know how things are running now.

abri

 

Hello Abri,
I have completed the recommended steps, thank you! There seems to be some improvement, but I will play a bit more to make sure. I thought I would also let you know that when I ran the avenger steps, when restart completed it said that the avenger.txt file could not be found and asked if I wanted to create a new one. I answered yes. The text file however is empty, as you will see by the posted log. Please let me know if you think I should try this step again? Thanks again for all your help. Kind regards, JenF

Also, for some reason I am unable to attach logs. I will try in separate post. (tried and failed... I do not know why the attach files area in the additional options no longer allows me to attach items!) HELP

 

posts... didn't realize you had to be in IE to post... sorry.

 

Here is the file that was needed didn't know to use IE for attachments. Thanks again. Jen

 

Hi jenf!
Your Avenger log was not empty! It says "Folder C:\WINDOWS\system32\wsnpoem deleted successfully." However, the file is still appearing in both HijackThis and in your newfiles.txt logs, therefore I need to ask you if you ran things in the correct order. That would have been to fix the file with HijackThis (the F2 line), to then run Avenger and delete the folder C:\WINDOWS\system32\wsnpoem, to then rerun HijackThis to produce a fresh log and to rerun ShowNew to produce a fresh log. It's important for me to know if both the HijackThis log and the ShowNew logs were run After you deleted this? If they were, it means this file is still on your computer and we have to get it off.
abri

 

Hi Abri,

Let me clarify. I did run everything in the order which you outlined. The only problem was that the avenger text file after I restarted WAS empty. So, then I re-ran the avenger.exe a second time BUT only after I had done the ATF Cleaner... So, I am going to run steps again and repost logs JUST to be sure. Thanks for your patience and help.

 

Hi Abri, here are the logs after re-running steps. Thanks

 

Hi jenf!
Thanks! The new logs show that file I wanted you to get rid of is gone. Now is the question, has anything in your computer improved since you started working through the READ & RUN ME ? Is your computer still at such a high CPU useage and Über slow? Your computer was infected, but not badly, therefore I wonder what else might be going on.
I see this in your uninstalls list. ffdshow
Is this something that you might have downloaded from a free site? You can google it for more information about what it is, but it offers free screen savers and I'm always suspicioius of things like that.
abri

 

Hi Abri,

I went ahead and removed ffdshow and any other programs that I thought would be sucking memory and then I gave it a few days to see if my performance would improve. Unfortunately, its hot/cold... programs I use often are firefox, skype, outlook 2003, word, excel & gotomeeting by citrix. somehow my CPU really just comes to a screeching halt as I'm doing day to day things with these applications. Now that you say I'm pretty much clean, I don't know which way to turn. The facts are this: one day I was have no issues with CPU speed using these same applications and then the next day my performance went to crap - which makes me think it was simply the malware. Now that I'm "clean", I hesitate to believe its my RAM (512M)... but I've run out of options. Got any other cool ideas?? :confused thanks in advance for any direction. regards, jen

 

Hi jenf!
I don't think it's your amount of RAM. It could be that one of the RAMs has hardware problems. This is something that the hardware forum could help you test. In the software forum, they could give you more information about why your CPU useage is shooting up to 100% like that. If you want to spend a bit more time looking for malware, you can run a couple of the Alternate Scans here. If you scroll about halfway down the page, there are several rootkit scans and you can pick out two or three of these and post the results to us. We can see if there are any hidden files.

I'm sorry this isn't an obvious problem. The obvious ones are easier to solve.
abri