Massive slowdown, nothing working!

Discussion in 'Malware Help (A Specialist Will Reply)' started by slimjim4959, Sep 5, 2005.

  1. slimjim4959

    slimjim4959 Private E-2

    I have done everything that the tutorial in this forum has suggested but my computer is absolutely infested with spyware/malware/adware. The stuff just keeps coming and the situation is slowly getting worse. I have followed the tutorial completely but there is still a lot of slowdown. It was a lot worse before (my wallpaper was jacked, so was my browser, popups would continually open) but now nothing is working. I cannot open any programs and when I could things did not work. For example whenever I opened explorer and tried to go to web page the browser would just close. Now I cant even open the browser because its so slow. This seems to have just happened in a split second and I have been wrestling with it for the past day. The laptop seems to function fine in safe mode but as soon as I go into normal everything is awful again. Any suggestions? Could I perhaps post my hijack this log for you all? Thanks very much for any help you can give.
     
    slimjim4959, Sep 5, 2005
    #1
  2. slimjim4959

    slimjim4959 Private E-2

    Sorry for the double post

    I guess I also wasnt specific enough with what i was dealing with.

    I have seen signs of Smitfraud (my wallpaper was changed to a blue screen of deeath that said that the comp was infected with smitfraud.c) Aurora, Surf Sidekick, and quite a few others. Once again, any suggestions? Thanks very much
     
    slimjim4959, Sep 5, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download smitRem.exe and save the file to your desktop.

    Double click on the file to extract it to it's own folder on the desktop.

    Reboot into safe mode.

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

    If still having problems at this point, follow the steps below.


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Sep 6, 2005
    #3
  4. slimjim4959

    slimjim4959 Private E-2

    Thanks very much! Here is the smitrem log and also I ran Hijack This after the Smitfraud remove and I am attaching the log as well, thanks!
     

    Attached Files:

    slimjim4959, Sep 6, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to post you HJT log from normal boot mode. But before doing that follow the steps below

    1) look in Add/Remove programs for the below and uninstall if found:

    SurfSideKick 3
    Media Access

    2) Fix SpyBot's Ignore Products Bug:
    I want you to run SpyBot and get into the Advanced mode by selecting Mode and then
    Advanced mode. Then select Settings and the in the left column select Ignore Products.
    In the right window pane make sure the All products tab is selected. Then in that
    window, right click your mouse and choose "Deselect all". Now in the left pane click
    at the top on SpyBot S&D and then choose Search for Updates. Download any updates
    required. Now click Check for Problems. Fix any that are found.

    Now post a new HJT log from normal boot mode.

    You have a load more issues to fix. You are also seriously out of date with your Windows Updates. We will have to address that later after fixing current malware problems.
     
    chaslang, Sep 7, 2005
    #5
  6. slimjim4959

    slimjim4959 Private E-2

    Hi Sorry for the slow response.

    I did not find either program in add/remove so I wasn't able to uninstall them.

    I fixed the bug in Spybot and deleted the files that it found.

    As for the Windows Updates not being updated, well that's on purpose. This computer is a hospital workstation and there are quite a few incompatibilities with the software we use and SP2/other updates so we are told NOT to update under any circumstances. While that isn't really smart, at this point there are no other choices.

    I have uploaded my updated Hijack This log, thanks very much once again!
     

    Attached Files:

    slimjim4959, Sep 8, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There are other choices!! You can update to SP1 or SP1a level and not update to SP2. While this is not the best choice, it is much better than what you have now. In addtion you can also do selective updates and just not install SP2. There are a whole bunch of other security patches you probably need. So there are other choices. The alternative is to constantly get infected and lose the use of the PC anyway and also possibly lose important information to malware problems.

    Did you delete the least of running Processes from your HJT log? Or did HJT actually not list them??
     
    Last edited: Sep 8, 2005
    chaslang, Sep 8, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's continue.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to Command Service (or if not found look for cmdService) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Command Service

    If that does not work try entering the short name: cmdService

    Now exit HJT but do not reboot if it tells you one is needed. We will be restarting HJT again in a few lines.

    Since your last log did not show running processes, I will have to guess at what may be running in my steps below.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\PSof1.exe
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    C:\Program Files\SurfSideKick 3\Ssk.exe
    C:\WINDOWS\etb\pokapoka65.exe
    C:\WINDOWS\System32\medgs1.exe
    C:\WINDOWS\System32\opr.exe
    C:\DOCUME~1\sladina\LOCALS~1\Temp\InSearch.exe
    C:\Program Files\Media Access\MediaAccK.exe
    C:\WINDOWS\System32\piduri.exe reg_run
    C:\WINDOWS\System32\pshwr.exe
    C:\Program Files\Cas\Client\casclient.exe
    C:\Program Files\SurfSideKick 3\Ssk.exe
    C:\Program Files\winCMAPP\wincmapp.exe
    C:\WINDOWS\U0xhRGluYQAA\command.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
    O1 - Hosts: 69.31.81.22 search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi search.msn.fr
    O1 - Hosts: 69.31.81.22 beta.search.msn.dk beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it
    O1 - Hosts: 69.31.81.22 beta.search.msn.nl beta.search.msn.no beta.search.msn.es beta.search.msn.se beta.search.msn.ch
    O1 - Hosts: 69.31.81.22 www.alexa.com alexa.com
    O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshftcl.dll
    O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
    O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
    O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
    O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\sladina\LOCALS~1\Temp\InSearch.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\piduri.exe reg_run
    O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
    O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0016.exe
    O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) -
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U0xhRGluYQAA\command.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\System32\pkshftcl.dll
    C:\WINDOWS\System32\PSof1.exe
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    C:\Program Files\SurfSideKick 3\Ssk.exe
    C:\WINDOWS\etb\pokapoka65.exe
    C:\WINDOWS\System32\medgs1.exe
    C:\WINDOWS\System32\opr.exe
    C:\DOCUME~1\sladina\LOCALS~1\Temp\InSearch.exe
    C:\Program Files\Media Access\MediaAccK.exe
    C:\WINDOWS\System32\piduri.exe reg_run
    C:\WINDOWS\System32\pshwr.exe
    C:\Program Files\Cas\Client\casclient.exe
    C:\Program Files\SurfSideKick 3\Ssk.exe
    C:\Program Files\winCMAPP\wincmapp.exe
    C:\WINDOWS\U0xhRGluYQAA\command.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Sep 8, 2005
    #8
  9. slimjim4959

    slimjim4959 Private E-2


    I did not delete anything so my best guess is that HJT did not list them. Thank you very much for your help and I will try this at work tommorrow! You guys are life savers.
     
    slimjim4959, Sep 8, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Let me know how things work out.
     
    chaslang, Sep 8, 2005
    #10
  11. slimjim4959

    slimjim4959 Private E-2

    Alright! I did everything as you said except for two things:

    1. I couldnt disable system restore because in my properties I dont have a system restore tab.

    2. I couldn't kill all the processes you told me because I couldn't find them (I dont think this is too much of a problem though)

    My computer is running much, MUCH faster and I can finally open me IE. However random pop ups are still coming up once in a while.


    I have attached my HJT log as per your instructions, thank you very much!!!
     

    Attached Files:

    slimjim4959, Sep 11, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We still have more work to do!

    You need to disable Spybot's TeaTimer function because it is getting in our way of fixing things.

    To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
    Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
    Now quit Spybot!

    Is infonet your valid Start and Default pages?

    Download and run the following:

    EliteToolbar Remover

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\Program Files\Common Files\Windows\services32.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe <-- these may be gone already
    O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\piduri.exe reg_run
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\etb <--- the whole folder
    C:\WINDOWS\System32\piduri.exe
    C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe
    C:\Program Files\Common Files\Windows\services32.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working. We may have to do some additional special steps to remove the WinSync problem. It normally hides several other files that need to be removed to get this fixed. We shall see.
     
    chaslang, Sep 11, 2005
    #12
  13. slimjim4959

    slimjim4959 Private E-2

    well this winsync/piduri thing is damn stubborn:


    I tried to delete it but ti said it was in use so it couldnt be removed and the file disappeared. So I rebooted again in safe mode and right clicked properties and the read only box was not checked and when I got out of the properties menu and back into the system 32 folder the file again disappeared. Also winsync/piduri is not in the process manager.

    Yes infonet is the homepage that I want.


    Also this pokapoka65 and 66 thing keeps reappearing.

    Here is my current HJT log, thanks ever so much!
     

    Attached Files:

    slimjim4959, Sep 11, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see any signs of the pokapoka stuff. The Elite Toolbar remover quite often fixes this.

    You need to remove (Fix) the restrictions in you HJT log:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    Now onto WinSync!


    1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

    2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

    Now come back here and post both logs as attachments.
     
    chaslang, Sep 12, 2005
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds