Inexplicable slowdown

alyssa · Feb 27, 2013

I loaned out my laptop and received the report when I got it back that it was running very slowly. I did not experience this before and the only thing that I have done recently that I can remember is performing a JAVA update (which seemed to take an inordinate amount of time and created a very large file and folder (SUN) on the drive). In the event that some malware has made it onto the computer I ran the READ and RUN FIRST applications. The Rogue Killer gave me an alert about Zero Access. I could not determine if it ran completely so I reinitiated it. I included the second log file.

Attached are the log files. As always, thank you for your assistance.

TimW · Feb 27, 2013

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Files/folders tab and locate these detections:

[ZeroAccess][FILE] @ : C:\Documents and Settings\User\Local Settings\Application Data\{1e9266dd-8005-41e4-651c-a010c35058e3}\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{1e9266dd-8005-41e4-651c-a010c35058e3}\U --> FOUND
[ZeroAccess][FOLDER] U : C:\Documents and Settings\User\Local Settings\Application Data\{1e9266dd-8005-41e4-651c-a010c35058e3}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{1e9266dd-8005-41e4-651c-a010c35058e3}\L --> FOUND
[ZeroAccess][FOLDER] L : C:\Documents and Settings\User\Local Settings\Application Data\{1e9266dd-8005-41e4-651c-a010c35058e3}\L --> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Rescan with HitmanPro.
Choose to Delete these files if they are detected:

C:\Documents and Settings\User\Local Settings\Application Data\{1e9266dd-8005-41e4-651c-a010c35058e3}\@ (ZeroAccess)
C:\Documents and Settings\User\Local Settings\Application Data\{1e9266dd-8005-41e4-651c-a010c35058e3}\L\ (ZeroAccess)
C:\Documents and Settings\User\Local Settings\Application Data\{1e9266dd-8005-41e4-651c-a010c35058e3}\L\00000004.@ (ZeroAccess)
C:\Documents and Settings\User\Local Settings\Application Data\{1e9266dd-8005-41e4-651c-a010c35058e3}\U\ (ZeroAccess)
C:\WINDOWS\Installer\{1e9266dd-8005-41e4-651c-a010c35058e3}\L\ (ZeroAccess)
C:\WINDOWS\Installer\{1e9266dd-8005-41e4-651c-a010c35058e3}\L\00000004.@ (ZeroAccess)
C:\WINDOWS\Installer\{1e9266dd-8005-41e4-651c-a010c35058e3}\L\201d3dde (ZeroAccess)
C:\WINDOWS\Installer\{1e9266dd-8005-41e4-651c-a010c35058e3}\L\55490ac4 (ZeroAccess)
C:\WINDOWS\Installer\{1e9266dd-8005-41e4-651c-a010c35058e3}\U\ (ZeroAccess)

Ignore all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

Now rescan with both RogueKiller and Hitman and attach those new logs as well.

alyssa · Mar 1, 2013

Thank you Tim for your reply.
I ran roguekiller and hitman per your direction.
Upon completion of roguekiller I only found the "files" tab (no files and folders) and could find no check boxes. I highlighted one of the files and pressed the delete button and the roguekiller software began deleting the stuff under the registry tab. There was no stop button and I feared just turning off the machine in the middle of the process, so I let it run its course.

I then scanned the computer with Hitman. It found no threats and it does not appear to have created a log file.

I hope that I did not mis-apply the roguekiller software. It actually generated two files. RKreport[3] and RKreport[4] are attached.

alyssa · Mar 1, 2013

Sorry, Tim, I forgot to rescan. Will do it now.

alyssa · Mar 1, 2013

I forgot to do the "save log" on the Hitman screen on the previous scan but did on this one.

The rescan logs for roguekiller, RKreport[5], and hitman, HitmanPro_201 30301_1357.log, are attached.

TimW · Mar 1, 2013

Looks good. What issues are you still having, if any?

alyssa · Mar 27, 2013

Tim

I have been running relatively problem free for a few weeks - maybe too long. I have not had a chance to use the computer frequently. I think I am ready to go through the recovery process.

TimW · Mar 27, 2013

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.

Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

After doing the above, you should work thru the below link

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Log in or Sign up

Inexplicable slowdown

alyssa Private E-2

Attached Files:

RKreport[2]_S_02262013_02d1749.txt

mbam-log-2013-02-26 (18-00-55).txt

HitmanPro_20130226_1845.log

TDSSKiller.2.8.16.0_26.02.2013_18.23.13_log.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

alyssa Private E-2

Attached Files:

RKreport[3]_S_03012013_02d1204.txt

RKreport[4]_D_03012013_02d1212.txt

alyssa Private E-2

alyssa Private E-2

Attached Files:

RKreport[5]_S_03012013_02d1257.txt

HitmanPro_20130301_1357.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

alyssa Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member