Possibly SysWow64 virus...

Inactive
By Jpringle
Jan 20, 2013
  1. First, my name is Jason and I want to thank you guys for all your hard work. My PC has been slow and acting crazy lately. Disabling programs, lots of random access denied processes running, and Microsoft Security stopped working.. I had already ran TDSSkiller before I thought to ask for help. Hopefully it doesn't make this more difficult. Any help would be much appreciated.

    Attached Files:

  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot. I'm Jason, too!


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From TechSpot

    Direct Link (alternative)

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  3. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Thanks again..

    Attached Files:

  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

    Sometimes these logs can be very large, in that case please attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    Adware Cleaning

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  5. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Here you go.

    Attached Files:

  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death

    Note: Absence of issues does not mean that you're protected in the future.
  7. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Its running much better. When I came in this morning it seemed to be acting up again. Some of the same odd process were running, couldn't open programs, and my driver for my graphics was showing the same error. Microsoft Security Essentials still isn't working. I just started using Malwarebytes for now. Also Event Viewer stopped working as well... Should I delete quarantine files with the ESET app as well? Thanks again.

    Attached Files:

  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Yes, delete quarantine...

    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    [​IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start.



    Download and run this tool, please:
    http://kb.eset.com/library/ESET/KB Team Only/Malware/ServicesRepair.exe


    Let me know how it's working after all that. :)
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, are you still with us? Please update us with the state of your situation, so we know how to continue from here.

    We'd still like to help. Topic marked inactive, until your return.
  10. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Sorry about that. My PC stopped booting and then I left for vacation... I have/had 2 computers at work now that had been "infected". All new hard drives and Windows 8 etc and I'm starting to see some issues that are worrying me...Kaspersky being disabled, Firewall rules changing, Tons of process being moved to the "Trusted" zone etc. I need to get some one on one help to get this fixed being that its my work PC's.. Any help or direction would be much appreciated. Im going to post this in the forum also. Thanks again and sorry for disappearing like that.
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let's work here on this thread...

    What exactly are we doing now? The same computer as above, or a work computer?

    Run preliminary scans (4-step method) if a new computer is being worked on here...
  12. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Thank you! Working on my main Desktop from work. New ASUS with a new install of Windows Pro. Not seeing any Viruses being picked up just a lot of the same behavior as before. Firewall changed, process renamed, all made trusted with a lot of open ports etc... I did a full system scan with Kasperskys tool that showed all the things I was seeing. If you would like me to post those too let me know. When I run a search for a file with just todays date I can see all the things going on. Key logging my internet sessions etc Thanks again. I

    Attached Files:

  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From TechSpot

    Direct Link (alternative)

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.


    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

    Sometimes these logs can be very large, in that case please attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    Kaspersky Virus Removal Tool

    The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

    Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

    • Double-click the Setup file to install it on your computer.
    • Once it has installed, review and accept the agreement and press the Start button.
    • You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
      [​IMG]
    • On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
      [​IMG]
    • On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
      [​IMG]
    • Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
    • Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
      [​IMG]
    • Then, choose Save. Also, in the Automatic Report tab, select Save:
      [​IMG]
    • Please post the reports in your next reply.
    • Once you exit, the tool should uninstall automatically.
     
  14. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Combofix isn't compatible with Windows 8... Let me know what you want me to do. Also, the laptop, same OS, that is networked with this desktop, should I make another topic and chech it at the sametime?
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Oops...do the following (glanced over that too fast):

    RogueKiller Scan

    • Download RogueKiller from the following link and save it on your desktop:
      TechSpot
      Official Site (alternative)
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.


    OTL Quick Scan

    Please download OTL by OldTimer to your Desktop.
    • Close all windows and double click OTL.exe.
    • Click Quick Scan button and let the program run uninterrupted.
    • It will produce a log for you called OTL.txt, please post it in your next reply.
    • You may need to use two posts to get it all.
  16. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Here you go. Let me know what you think I should do as far as my laptop too. Thanks

    Attached Files:

  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We'll cover the other comp. very soon...

    OTL Fix


    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


    Kaspersky GetSystemInfo Scan

    Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

    Note: please close all other applications running on your system.

    Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

    Click the Settings button.[​IMG]

    [​IMG]

    Set the slider to Maximum.

    [​IMG]

    IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.


    [​IMG]

    On the General tab, make sure all of the boxes are checked.


    [​IMG]

    On the Misc tab, make sure all the checkboxes are checked.

    Then, click OK on the windows that you launched.


    [​IMG]
    Click Create Report to run it.

    [​IMG]
    It will begin scanning.

    It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

    It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

    It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.
  18. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    All processes killed
    ========== OTL ==========
    C:\Users\Herb\AppData\Roaming\SmartPCTools\Registry Repair Wizard\UndoCenter folder moved successfully.
    C:\Users\Herb\AppData\Roaming\SmartPCTools\Registry Repair Wizard folder moved successfully.
    C:\Users\Herb\AppData\Roaming\SmartPCTools folder moved successfully.
    ADS C:\ProgramData\TEMP:ECF54A0E deleted successfully.
    ADS C:\ProgramData\TEMP:0B4227B4 deleted successfully.
    C:\Windows\SysWOW64\drivers\utm0otqz.sys moved successfully.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Herb\Desktop\cmd.bat deleted successfully.
    C:\Users\Herb\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Herb
    ->Temp folder emptied: 4093672 bytes
    ->Temporary Internet Files folder emptied: 351248 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 5110087 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 506 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 584725936 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 567.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 02052013_185537

    Files\Folders moved on Reboot...
    C:\Users\Herb\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...





    Then here is the Getinfo... Thanks again.



    http://www.getsysteminfo.com/read.php?file=0080fb235ad938e49d99d6e52a6dfa08
  19. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    I have to use this PC tomorrow... (well I say that but obviously not if you tell me not to. Lol) Is it safe to network and turn on my Antivirus? Sorry not trying to get ahead of myself just want to make sure do the right thing in the morning.
  20. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Let me know as soon as you can on if you thinks its ok to network this PC at work... Thanks again
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    SAFE!

    Next computer?
  22. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    Sounds good. I'm still seeing some weird activity/process and my firewall via Antivirus has a lot of open ports. Also just so I have a better understanding what I'm dealing with and how to protect myself a little better could you give me a little insight. Im just worried about how I was instantly effected/infected by whatever that was on three PC's with new hard drives, new antivirus, new rotor with better firewall etc. I was very careful not to connect to the Internet etc. I just went to change my password and start my ip address with an odd number just in case and my gateway had at least 30 open ports with a bunch of activity. I also have my DVR connected with a static ip and thre ports forwarded for remote viewing... I don't know if that could be aiding in this or not. Sorry to bombard you but just want to be safe.
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Can you screenshot the ports and port names? That would be good...
  24. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    firewall.jpg firewallll.jpg

    I have multiple permission denied issues, it keeps trying to install some plugin online but wont show me what it is, and it takes 5-10 minutes to shut down.. Thank you
  25. Jpringle

    Jpringle Newcomer, in training Topic Starter Posts: 33

    I still show a bunch of adobe flash and java in the respective folders in those shots also.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.