Logs - Comp is getting progressively sluggish

It's really getting slow, and I've finished all the recommended steps. Everytime I run Nod32, it finds files in ~user/Local Settings/Temp with Adware.Agent.NFX in them. Everytime I quarantine and delete.

Only other visible problems now are IE popups (without using IE) that try taking me to spyware fixing sites.

The hardrive is crunches pretty regularly, and the popups stop when I kill explorer.exe.

Can't think of what else to mention...attachment button doesn't appear below, so I'll try attaching them as replies to this post...

 

Alright, the attachment button isn't showing. What gives?

 

Weird...works now.

Note: One of the sites is "YourPrivacyGuard".

 

...

newfiles.txt was too large (zipped)

 

Before we begin, run the procedure below to clean out the temp junk. Then run ComboFix in part 2.

Once you complete the steps above, attach fresh logs from the below.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• ComboFix Log

 

Thanks for picking up the thread.

I did step 1, then 2, then the order of logs you asked for. First combofix (pre in the filename) caused a reboot while the second one didn't. Near the end of the second combofix, explorer crashed and reset itself (don't know if it's relevant).

 

...last 2 logs...

 

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 6:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Followed the steps in order, hijack-pre is from the start of step 2 and hijack-post is from step 6.

Things to note:
- Since the last post, it was running much better, but still had random think-spurts...they just weren't as long/frequent as before (but still abnormal).

- Things in C:\doc + set\user\local settings\temp were subsided until just today I noticed them coming back.

- I've installed a firewall (COMODO), and tested it with a benchmark elsewhere on this forum (came out sound). But I did notice something, and it goes back to my hunch that explorer.exe was compromised:

About every 5 seconds explorer.exe tries to make an http request to an unknown ip through svchost.exe. Now they're showing as the parent being services.exe, but still through svchost.exe to the 'bad' ip. Info I've found on the IP(81.29.248.50):
http://www.dnstools.com/?lookup=on&...on&all=on&target=81.29.248.50&submit=Get+Info
http://www.malwaredomainlist.com/md...lsearch=All&ascordesc=ASC&quantity=100&page=1

I'm letting nod32 do an in depth scan while I take a break for a bit. Thanks for working through this with me. Cheers.

 

new files was just barely over the limit...

 

Download CleanUp! & CCleaner, save to desktop and install both. Once installed run them one at a time, once completed reboot and attach a fresh ShowNew, GetRunKey & HijackThis Log.

Also, if you have multiple user accounts, run CCleaner on each account.

 

The thing is still trying to reach that bad ip.

Logs attached.

 

Your logs look good, what are you referring to?

 

Sorry, I was referring to an earlier post in this thread.

- I've installed a firewall (COMODO), and tested it with a benchmark elsewhere on this forum (came out sound). But I did notice something, and it goes back to my hunch that explorer.exe was compromised:

About every 5 seconds explorer.exe tries to make an http request to an unknown ip through svchost.exe. Now they're showing as the parent being services.exe, but still through svchost.exe to the 'bad' ip. Info I've found on the IP(81.29.248.50):
http://tinyurl.com/3durgg (dns lookup)
http://tinyurl.com/333d7c (info on the ip)

 

See the threads below, run these scans and attach the two logs please.

Running AVG Anti-Spyware

Using Sophos Anti-Rootkit

 

AVG didn't generate the log until another scan was started...weird...

Both attached.

 

See this thread and attach a log.

Running GMER to detect rootkits

 

Must have overlooked it, will include in next fix. Thanks!

 

Log attached.

Another note:
So I've been banging my head around getting a firewall setup properly to do what I want it to (block the explorer from accessing the bad ip, etc) and through the process I've gone through a few firewalls and noticed the following behaviour:

When a firewall is blocking explorer.exe from accessing the bad ip, not much else happens to the system (nothing I can find). It just tries every 6 seconds or so to make a connection. But when it's open, and explorer.exe does make the connection, the infected files in my C:\Doc+Settings\user\LocalSettings\Temp start appearing again.

Don't know if it helps, but I just thought I'd mention it.

 

Last ones...

Using Silent Runners

Running Rootkit Revealer

 

Don't I wish .

Attached.

PS. Sorry for the delay...was away for the weekend.

 

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme1.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme1.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Once you complete the above, reboot a few times and post back any problems you have.

 

Steps Taken:
- Downloaded / Ran Avenger
- Reboot
- Task Bar was unclickable this boot
- Log came up. See attached.
- Made the regedit file / ran it
- Reboot
- Error Dialog on Boot:
DAEMON Tools: Invalid Device
- Had to click through 2 of them
- Installed Comodo
- Reboot:
- Before logging out, error message:
verclsid.exe: Failed to initialize because Windows is shutting down
- Same DAEMON Tools problem on reboot
- Ran an application finder on Comodo
- Reboot
- Same DAEMON Tools problem on reboot
- Probably entirely unrelated, but a pixel burnt on this reboot.
- Ran AVG AntiSpyware Reg Scan - nothin
- Ran CCLeaner Registry Scan - Image attached (nothing fixed)
- SpyBot Search and Destroy updated, and 544 new objects aren't immunized (that make sense?)

Running a full spybot search and destroy scan now, and going to do a full nod32 and avg anti-spyware scan afterwards.

I'm still trying to get used to Comodo's interface, but I think explorer.exe has ceased it's quest to reach the bad ip via http. What step that you suggested would have fixed this?

 

Quick followup, Spybot found a registry entry concerning Smitfraud...see attached.

 

Okay! Let's be on the safe side and run the below.

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

How are things working now?

 

Logs attached.

Noticed:
- DAEMON Warning still comes up on reboot.
- File Explorer behaviour reverted (doesn't open new windows anymore)
- Wall paper was deleted (it was just from a browser).

Nothing totally unexpected. Running another full AVG Spyware scan...

 

This is normal!

You can if you like but it's not requred unless you're having further malware issues.

 

Please go back to Post 17 and attach a fresh log from GMER.

Also, attach fresh logs from ShowNew, GetRunKey & HijackThis.

 

Any ideas as to the daemon error or what would have fixed explorer's attempt to reach bad ip's?

Logs attached...

 

+3...

 

Did you purchase AVG Anti-Spyware? If not, you can uninstall now.

Have HJT fix the below entries below. Reboot once complete and let me know how things are running.

 

Daemon popups stopped.

- Why shut down Google Desktop?
- The Add/Remove Programs list seems extremely sparse now...I just uninstalled AVG, but it wasn't listed in the add/remove programs anymore. That normal?
- Doesn't seem to be any external connection attempts according to comodo.
- Again, out of curiosity, what would of zapped the problem with explorer.exe trying to reach the bad ip?

Thank you so much for the help with this. Never thought this kind of cleaning was possible...

 

It's unecessary to load at startup however if you want this to start when the OS loads that's fine.

May have got removed somewhere during the cleaning process, hard to say.

Good! Seems we have removed the infection!

More than likely, Post 23.

Yes! We do this every day many times a day for free to people worldwide.

 

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger, the log (avenger.txt) and C:\avenger.
8. If we had you download any registry patches like fixme.reg, fixme1.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Done and done...

Now running AVG Free (uninstalled the trial version of nod32), Comodo BOClean, and the SpyWare blaster.

SB S&D shows all of the bad links for uninstalling as errors with the registry. Was just going to write them down, and clear what isn't needed for sure before fixing the reg entries. There's no quick/easy way to have the add/remove list reverted is there?

Thanks again for the help. Big time life saver...

 

I don't think I understand what you're asking? Elaborate?

 

current-list: shows what's currently in the add/remove programs menu.
ccleaner-problems: shows just a subset of the programs that used to be listed (and are still valid/installed)

Was just curious if there was a way to restore the add/remove programs list.

 

This is really a question for the Software Forum as it's not malware related.

 

Ahh...indeed.

Thanks again for the help. Definitely keeping this place bookmarked for others that hit a wall.

Cheers

 

Your Welcome!

Surf Safely!:major