Am I virus - spyware - anybadthingthatslowsmypcdown-ware free...?

Status
Not open for further replies.
Every time I have a problem I follow the 15-step cleanup guide exactly as it is... So I had done the Antirootkit scan as written in step 11...

Noob_kill found and deleted some files (6 I think)...
As far as My Computer screen is concerned, everything is OK... Right-click menus work properly, and double-clicking on a hard drive opens it!!!

Just noticed one other thing, though:
when you open Start menu and click on my computer, normally the "my computer" button stays there and fades out quickly... In my PC it fades out REALLY slow, it stays on (while fading out) for 1-2 seconds...
Something similar happens with some games: I downloaded M3 Challenge which is a similar game to GT Legends. GT Legends starts on my PC but then the whole PC crashes right after the intro video (which has a frame rate of about 1fps), while m3 challenge starts properly, I get the same 1fps framerate in its videos, but whena I get to actually play the game (it doesn't crash), it gets weird: although framerate is OK, everything is moving in slow motion - not with a delay, but in slow motion... e.g. when you hit the horn button it sounds normal. when you rev the engine its OK, but when you put it into gear and try to start driving, the things barely move (it's not a matter of the car being slow :p )...

What is going on here? Is my PC posessed?

edit: I just noticed that Fraps shows a framerate of 3000fps-10000fps (not 30, not 300, but 3000)
 
To tell you the truth, I`m not sure what`s going on with your system.

The thing is, if it is malware, then it`s doing a very good job of hiding.

Have you tried reducing the number of programmes you have from running on startup? You might find that will help a great deal.

See this thread HERE, for info on speeding up your system.

Regards Howard :)

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I don't think it's a matter of running programs, because it's not like the pc is running slow, but there sure are weird things going on...

When I open the start menu, program tabs (Start -> All programs -> program folder -> program) between "program folder" and "program" open slolwy, not in steps like it does when heavy proccesses are running, but in a slow, fading-in way...

I'll give it a shot, but if i don't find anything, should I just go for a format? I have a partition on my disk with windows only, you think it will be OK to format only that one? If not, is it safe to transfer all the stuff I need (photographs etc) to another (new) HD and then format the whole of this one?
 
What is with all of these entries in the ComboFix log?

Code: 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
1\Command- .\recycled\info.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\N6288.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
1\Command- .\recycled\info.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
1\Command- .\recycled\info.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\MLLaunch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adcee793-18e0-11dc-8cef-0016179a39cb}]
1\Command- .\recycled\info.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d130a26b-f63d-11db-8ca6-0016179a39cb}]
1\Command- .\recycled\info.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe
Is it possible that these files still exist?

Regards :)

This thread is for the use of Cobra_MX5 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
 
What are these files?
Do I run another scan with combofix to see if they exist?

This is a fresh Combofix log... I don't have much time now so I ran CF in normal boot mode, not in safe mode... If Safe mode is necessary I'll do it again once I have more time...
 
Ok, let`s give this a try.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh Combofix log.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

I:\autorun.exe

G:\MLLaunch.exe

D:\N6288.exe

Regards Howard :)

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Should I delete these files, or not, since they are not in bold?
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

I didn't find this one, is the complete path c:\windows\system32\recycled\info.exe? I didn't find a "recycled" folder in \system32...
.\recycled\info.exe

These files are autorun files from 2 dvd drives (G and D) and one virtual drive (I)...

I:\autorun.exe
G:\MLLaunch.exe
D:\N6288.exe

I attached the logs from Avenger as well as combofix...
 
Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
Note: Please delete any existing copy of Flash Disinfector(if any) on your pc and download this one.

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
* Restart your computer and see if problem still persists.

Post a fresh Combofix log.

Regards Howard :)

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK so I connected my external (portable) HD to the pc and ran Flash_Disinfector.exe. I then restarted the PC and noticed something: It wouldn't boot with the usb hd connected... it got to a point where it scans for hard drives, found my internal hd, and stopped while searching for "usb mass storage devices"...?!? I then disconnected the hd and it booted properly... However, the problem still is there even when the external hd is not connected (I disconnected it 3-4 days ago).

Does it matter that I run combofix in normal boot mode and not in safe mode?
 
Combofix should be run from normal mode.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Then, navigate to the following keys and delete them.

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adcee793-18e0-11dc-8cef-0016179a39cb}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d130a26b-f63d-11db-8ca6-0016179a39cb}

Post a fresh Combofix log.

Regards Howard :)

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
YOU ARE A PC GOD!!!:grinthumb

Everything is OK now, back to normal! :D :D :D :D :D

Thank you very much!

What can I do to prevent such things from happening? Could it be a webpage I visited? I avoid dodgy pages, and everything I download gets checked for viruses etc...

Thanks again!

IOU
 
Ahem.

It happened again.
I tried running M3 challenge, which ran great. Didn't crash, went like a dream.
Then I say, "why don't I try playing some GTLegends (the other game I had a problem with)?" And it crashed. The PC restarted and ...guess what? Things were exactly like before the fix. So I did the last thing again (editing the registry).

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\D

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\G

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\I

These keys were there and I deleted them, whereas the other two were not there.

What is going on?

Note: GTLegends runs from a DVD which is in drive G, and is Starforce protected (dunno if it is related, but I ahve heard that Starforce is known for causing trouble to some machines). Some months back, though, GTL played perfect on this PC.
 
GTLegends runs from a DVD which is in drive G, and is Starforce protected
Click to expand...

I wouldn`t mind betting that`s the cause.

Other than not playing that game, I don`t think there`s much you can do.

The entries that have come back, don`t seem to be nasty, so maybe just forget about them.

Regards Howard :)

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
howard_hopkinso said:
Other than not playing that game, I don`t think there`s much you can do.

The entries that have come back, don`t seem to be nasty, so maybe just forget about them.
Click to expand...

OK I'll try to find a solution... What about the other problem, the strange characters in the right-click menu? Is there something I can do to avoid it? I mean, it's the third time it happens...

Thanks for everything!! ;)
 
I found the problem!

GTLegends causing the whole PC to crash and strange behaviour were totally irrelevant to each other!
GTLegends crashed because of a Starforce (the dvd protection system) problem, which was solved by downloading an official patch found at gtlegends.com.
However, the crash and therefore the restarting of the PC caused the "bad" keys to be re-written, which in turn messed up he whole system. The keys, though, were not located in neither D nor G drives (which are physical drives), but in I drive, which was a virtual drive created by DaemonTools...!

Result: problem solved! ;)

Strange thing is that daemontools worked ok some weeks ago... Dunno what happened, could have been some other program I installed...

Hope this helps for future reference...! :)
 
Status
Not open for further replies.

Similar threads

A
Microsoft Defender is lacking in offline detection capabilities, says AV-Comparatives
Replies
16
Views
1K
nismo91
N
Scorpus
Nvidia app launches in beta: Nvidia's new GPU control panel is much faster, no log in...
2
Replies
28
Views
575
RaXelliX
R
A
  • Locked
Inactive I was the victim of a targeted spyware attack
Replies
3
Views
1K
Broni
Broni

Latest posts

Back