[Active] Infected somehow? Was here then disappeared but still here

[wakwak1214]

Hey,
Thanks for putting in the time for the help.
Running Lenovo 3000 v100 Core Duo T2300; XP home edition (SP3)
I'm not quite ready to reformat yet for 3 reasons: 1) I don't have a boot CD because Windows came preinstalled with my laptop; 2) Even if I had it, my CD-rom is broken; 3) Lenovo/IBMs has the 1 key recovery button but my care button is broken too.

Possible cause: Two weeks ago I was playing Starcraft and suddenly got an ad pop-up ( had firewall off for hosting purposes... although I've been doing that for years with no problems, maybe it was about time I got something). Don't know if that's the cause. I have Symantec running live protection all the time. Symantec has never popped up to tell me I've been infected either.

Effects: Similar to other problems on this forum. I rarely and almost never use Internet explorer. Realized that 2 iexplorer.exe was running as SYSTEM (I am logged into my own profile-admin/wakwak). Hear clicking the background and get a few pop-ups here and there. I ran a few virus scanners (mbam, symantec, ad-aware, ESET online, trendmicro - all found nothing) and somehow my system sort went SLOWWWWW from then on. I'm running on selective boot because I had been getting some BSOD. This happened for a week or so. Suddenly iexplorer.exe was NO LONG running anymore (strange) but I still get pop-ups. Maybe the trojan has moved on to infect another program?
Went on vacation for a week and came back. Still getting the odd pop up. I've noticed that sometimes Acrobat Reader is running but I don't have it opened. svchost.exe uses up quite a bit of resources at times. wuauclt.exe is running but I've turned it off.
Sometimes, my laptop just HANGS momentarily for a minute or so (it's like its loading something or SENDING MY INFO somewhere).


SCANS: I ran GMER 4 times (twice normal, twice safe) and they all failed. I've attached 3 logs for GMER (forgot to save 1). In between the shut-down/reset process between the normal <-> safe mode, I noticed that my laptop was hanging a bit both times. Had to force shut-down both times because it was just stuck for almost 15 minutes.

Thanks again for the help!

 

[wakwak1214]

Here is another log file

 

[crunchie]

Please download JavaRa

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

Next, open JavaRa.exe again, and select Search For Updates.

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 20 (JDK or JRE). On the right select this one Download JRE..

In Vista and Windows 7 run the tool as Administrator.

===========

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[wakwak1214]

Hi Crunchie...
Thanks for coming to rescue me.
Before I move on to combofix.

I see Java Update 21 (should I get that instead of the 20 you recommended)?
I also ran the remove old java option and Windows prompted and told me that it could not be completed. It ran for a bit, seems to have gotten rid of some stuff and produced a log though. Is it ok?

 

[wakwak1214]

Ok .. scratch that last post. I just updated with the 21.
Combofix seemed to have run smoothly albeit a bit slower than the 'suggested 10minutes"

Ran combofix and it prompted me to reboot 3 times: I tried to disable realtime protection (for some reason it kept on showing up still... stopped it on service.msc afterward..). It rebooted.
Combofix continued to run (prompted me about not having a recovery console) then it found whistle bootkit (wOOt!) then rebooted. After reboot, it prompted me that windows " registry data had to be recovered by use of a log or alt. copy"
Combofix then ran their 50 stages thing and after a bit prompted me that they recovered some registry stuff again from a log/alt.copy. Rebooted again.
I'm guessing the reboots are protocol.

No pop-ups thus far although they come once everyone 2-3 hours...so I'll monitor it.

Here is the Java log and the Combofix log as requested.

Thanks.

 

[crunchie]

I have updated my javara .

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your Desktop.
• Copy and paste that information in your next post.

 

[crunchie]

ignore this

 

[wakwak1214]

okay... i'm on Kaspersky and it's been almost an hour. It's STILL updating the database thing, does it really take that long?




Edit: oops... there it goes finally =_= It sort of died on me for a sec... then it came back alive. That last bit of updating takes a while. Moving along now.

 

[wakwak1214]

ok... it's been scanning for about 45 minutes...I've been stuck on the last file and the scan duration timer has stopped moving for the last 20-25 minutes...It has found 2 threats..and 2 infected files so far...Should I just restart it?

Update: It's about the 2nd hour...Seems like it's dead or something. Opened task manager and it's actually not running anymore...no CPU usage...the scanningprocesses.exe process disappeared. Kaspersky seems to somehow just stopped itself. Before at least it was using up resources and what not.
I'll probably just rerun it again this time on IE to see if it's any better. Do I have to disable real-time protection by the way?
Is there an alternative to Kaspersky?

 

[crunchie]

If you want you can give it a few more minutes and then try the following, or just do the following straight away;

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

 

[wakwak1214]

Good! I've just closed it now.

By the way, I haven't gotten any pop-ups or any heard any clicks. So far so good.
It's getting late (1:30am). I'll give ESET a run in the morning. I ran it about two weeks ago and it ran smoothly.

Thanks again.

 

[crunchie]

No worries. I am just checking that there is nothing left over.
Lunch time Saturday here .

 

[wakwak1214]

You're in Asia I see...enjoy the afternoon and lunch. I'll try to be up in 8-9 hours to get this baby running.
Cheers.

 

[crunchie]

Aussieland. Have a good sleep.

 

[wakwak1214]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=372551f81c949045bd04975088afedb2
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-07 05:08:43
# local_time=2010-08-07 01:08:43 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 538007 538007 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=86896
# found=0
# cleaned=0
# scan_time=3832

Looks good... I'll see if i can run Kaspersky again. Shouldn't hurt!

 

[crunchie]

Looks good.

Let's get rid of Combofix now that we are finished with it.

• Click START then RUN
• Now type Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
  
  ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  
• 

====

Let me know if things are still good.

 

[wakwak1214]

Things are well so far. No clicking in the background, no pop-up ads.
I have something a bit odd though, not sure if it's malware? hardware?
Recently, I'd be surfing on firefox then suddenly a lot of memory would be used up by svchost.exe (i.e. I could be using 100,000Kb for firefox... then suddenly firefox would drop down to a ridiculously low number and svchost.exe would use up a load of memory 100,000kb+) This sort of freezes my laptop for a bit momentarily. It's like firefox and svchost.exe are trading off info or something. Happened particularly during the infection and still after we cleared up the bootkit (although it's not as severe).
I've also seen that wuauclt.exe still pops up from time-to-time. I'm almost positive I've turned off automatic updates because I don't want it to interfere with gaming and what not (windows update uses a lot of resources). I usually do the manual update every other week or so.
Now I'm just wondering if my laptop just needs a bit of an upgrade or if there are just hidden remnants of malware - although nothing's been found. Granted I haven't made a single upgrade in 4 years since I bought this laptop. It's time for another stick of ram... i've been running at 512mb so maybe it's wear and tear. The fact that I also run with such low HD free space could be another problem.

I tried running Kaspersky again this time on IE... I was about 70% through it (6 hours!) then it crapped out. Seems like java decided to just give up and what not. While scanning it did come up with 3 threats I couldn't exactly see what they are because the report screen was blacked out. It could possibly be false positives or cookies.

Thanks! Just got rid of combofix!

 

[crunchie]

Which version of FF are you running? I know that a couple of versions had pretty serious memory leaks on them causing them to use a lot of resources.
You should give opera a shot .
An upgrade might be in order, or a fresh install.

 

[wakwak1214]

Running Firefox 3.6.3 right now. It's prompted me a few times to upgrade (newest 3.6.8) and I'm wondering if I should jump back down if I can.

I've heard some good things about Opera. I've just been too lazy to move since I've been using Firefox for such a long time. I'm sure there's a tool to export my passwords, bookmarks, and tabs from FF over to Opera right? I'll look into it.

Upgrade definitely... might get another stick of RAM in there. Too bad I can't upgrade my video card... blasted laptops!
Re: The fresh install I'm going to look into what I can do about it. I don't have an install CD as Windows came pre-installed when I bought the laptop. I could try to make a recovery CD from an optical drive (which I have yet to buy). My laptop CD-rom drive's broken I think. I have yet to uninstall and reinstall, or remove it out and put it back in, again it's the laziness part. Lenovo/Thinkpads have that 1-touch re-format thing and it seems like my button is dysfunctional too. All in all, it's a functional laptop (well the fact i rarely use the CD-rom and never use the care button) , it's just a bit dysfunctional in parts.

 

[crunchie]

I know you can import Bookmarks, but not sure about the passwords. I doubt it though as it's a security thing.
You may want to do a defrag too.

 

[wakwak1214]

Yeah I've read up about the defragging too.
I've NEVER defragged this laptop either (yeah.. super laziness). Should the window's defrag be good enough? Or is there an external program that might handle it better?
I have a feeling it'll take ages to complete a defrag... 4 years of usage without a single defrag

Just realized I have diskeeper light installed. Is that any good?
ETA: I just tried to run DK Lite and got "MMC has detected an error in a snap-in" apparently it's wonky with SP3 (from what I've googled). So much for trying to run it.

 

[crunchie]

I get that message from the lite version too. Just click ok and it should still run.
Leave it overnight if you have to.

 

[wakwak1214]

Yup defragged...seems like the performance is still not as crisp/new. Wear and tear I guess.

Otherwise computer seems good so far!
Anything else I need to run?

 

[crunchie]

You should be good to go .

 

[wakwak1214]

Thanks again!