Virus? Running sluggish and freezes up. Logs attached
- Thread starter heyben
- Start date
- Status
Bobbye
Posts: 16,313 +36
Welcome to TechSpot, Ben. My apology for the delay- lots of systems with malware!
Do you know what this entry is?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
I had one other log with it yesterday- it was a Windows XP OS> That user didn't know what it was for. I can't identify anything in a search that would be appropriate for this category.
Please reopen HijackThis to 'do system scan only' and check the following if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve (unless you are able to ID it)
O15 - Trusted Zone: .66.129.114.121[/url]
O15 - Trusted Zone: .Realfast2.com[/url]
O15 - Trusted Zone: .Realfast2go.com[/url]
Close all Windows except HijackThis and click on "Fix Checked".
I suggest you remove the 015 entries from the Trusted Zone. IF you did NOT place them there, let me know- there's a small program I'll have you run.
Other than those entries, there's nothing significant in these logs.
Please describe this pop-up for me.
Question:
How much RAM is installed. Vista needs a minimum of 2GB.
For the freezes: Note the computer clock on the next freeze. Then check the Event Viewer to see if there is any Error that corresponds to that time. The site below will guide you through the event Viewer.
Monitoring the Event Viewer in Vista
Errors are time coded so copy any Errors for around the freeze time and paste them here. You do not need to include all the line below the Description.
Run a full system scan with McAfee AV, save the log and attach it to next reply.
Hopefully the above will help me know which path to follow next..
Do you know what this entry is?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
I had one other log with it yesterday- it was a Windows XP OS> That user didn't know what it was for. I can't identify anything in a search that would be appropriate for this category.
Please reopen HijackThis to 'do system scan only' and check the following if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve (unless you are able to ID it)
O15 - Trusted Zone: .66.129.114.121[/url]
O15 - Trusted Zone: .Realfast2.com[/url]
O15 - Trusted Zone: .Realfast2go.com[/url]
Close all Windows except HijackThis and click on "Fix Checked".
I suggest you remove the 015 entries from the Trusted Zone. IF you did NOT place them there, let me know- there's a small program I'll have you run.
Other than those entries, there's nothing significant in these logs.
Please describe this pop-up for me.
Question:
How much RAM is installed. Vista needs a minimum of 2GB.
For the freezes: Note the computer clock on the next freeze. Then check the Event Viewer to see if there is any Error that corresponds to that time. The site below will guide you through the event Viewer.
Monitoring the Event Viewer in Vista
Errors are time coded so copy any Errors for around the freeze time and paste them here. You do not need to include all the line below the Description.
Run a full system scan with McAfee AV, save the log and attach it to next reply.
Hopefully the above will help me know which path to follow next..
Thanks so much for the response! I might have accidentally made some changes, so I reran the 8 steps and they found some additional trojans, etc. Logs attached (Again).
All of the items you mentioned in the Hijack this were still present, so I just removed those. Exceptions being the two realfast entries, as they are part of a real estate contract software I use. I don't know what .66.129.114.121/ is/was
The alert popup is visable in the task manager, and has an icon picture that appears to be two chain links. No idea what it is, and it is always there when I turn on the computer. I have noticed no ill effects from quiting the application from task manager, but can't find how to remove it permenantly. Doesn't show up in a search from the add/remove programs. I'm running Vista Home Premium SP2 with 2GB of ram installed
Do you see anything in the latest set of logs to be concerned about? Thank you SO much for taking the time to look and reply, I really appreciate it.
Regards,
Ben
All of the items you mentioned in the Hijack this were still present, so I just removed those. Exceptions being the two realfast entries, as they are part of a real estate contract software I use. I don't know what .66.129.114.121/ is/was
The alert popup is visable in the task manager, and has an icon picture that appears to be two chain links. No idea what it is, and it is always there when I turn on the computer. I have noticed no ill effects from quiting the application from task manager, but can't find how to remove it permenantly. Doesn't show up in a search from the add/remove programs. I'm running Vista Home Premium SP2 with 2GB of ram installed
Do you see anything in the latest set of logs to be concerned about? Thank you SO much for taking the time to look and reply, I really appreciate it.
Regards,
Ben
Bobbye
Posts: 16,313 +36
The system is infected by the Smitfraud Trojan- or by another name, the Zlob Trojan. When it's installed, it will show fake notification messages that your computer is in danger- this is an attempt to get you to download a rogue security tool that you pay for in order to remove it . It may replace critical Windows components with files for the malware.
The alert pop-up is most likely in the Taskbar rather than the Task Manager.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
The alert pop-up is most likely in the Taskbar rather than the Task Manager.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
thanks for the quick response!
I downloaded and unzipped, but can't get a log to appear.
When I run it, it says access denied several times.
When I run it as an administrator by right clicking, it says that process.exe file is missing.
I deleted the file in my documents, then tried again with the same results.
Thoughts?
I downloaded and unzipped, but can't get a log to appear.
When I run it, it says access denied several times.
When I run it as an administrator by right clicking, it says that process.exe file is missing.
I deleted the file in my documents, then tried again with the same results.
Thoughts?
Bobbye
Posts: 16,313 +36
My bad! URL isn't good and it's suppose to be combined with Mbam.
Please run this instead:
Download ComboFix HERE:
Notes:
Please run this instead:
Download ComboFix HERE:
- With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
- Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
- Run Combo-Fix.exe and follow the prompts.
(Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.) - Wait for the scan to be completed.
- If it requires a reboot, please do it.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Bobbye
Posts: 16,313 +36
Ben, spreading a cleaning out over 3 weeks with a 2 week gap at one point, isn't a good working resolution.
Exactly what problems are you experiencing at this point.?We have not established if you have a malware problem, a system problem or some of both.
I did notice the following in Combofix:
2009-10-21 16:38 . 2009-10-21 16:40 -------- d-----w- c:\windows\system32\ca-ES
2009-10-21 16:38 . 2009-10-21 16:39 -------- d-----w- c:\windows\system32\eu-ES
2009-10-21 16:38 . 2009-10-21 16:39 -------- d-----w- c:\windows\system32\vi-VN
2009-10-21 15:25 . 2009-10-21 15:25 -------- d-----w- c:\windows\system32\EventProviders
I did identify eu-ES as related to http://packages.debian.org/search?keywords=apertium-eu-es
apertium-eu-es >> this is a free operating system, Are you trying to run Debian in a Windows environment?
'Event Providers' shows on that same date, but doing a search isn't very productive.
The 4 entries you have in the Trusted Zone are legitimate. I was asking you to remove them from the Trusted Zone. The IP 66.129.114.121 is part of RealFast. The Trusted Zone has lower security than the internet zone and I try to discourage putting any sites in that zone unless they are for an intranet you have set up. But that's your call.
Exactly what problems are you experiencing at this point.?We have not established if you have a malware problem, a system problem or some of both.
I did notice the following in Combofix:
2009-10-21 16:38 . 2009-10-21 16:40 -------- d-----w- c:\windows\system32\ca-ES
2009-10-21 16:38 . 2009-10-21 16:39 -------- d-----w- c:\windows\system32\eu-ES
2009-10-21 16:38 . 2009-10-21 16:39 -------- d-----w- c:\windows\system32\vi-VN
2009-10-21 15:25 . 2009-10-21 15:25 -------- d-----w- c:\windows\system32\EventProviders
I did identify eu-ES as related to http://packages.debian.org/search?keywords=apertium-eu-es
apertium-eu-es >> this is a free operating system, Are you trying to run Debian in a Windows environment?
'Event Providers' shows on that same date, but doing a search isn't very productive.
The 4 entries you have in the Trusted Zone are legitimate. I was asking you to remove them from the Trusted Zone. The IP 66.129.114.121 is part of RealFast. The Trusted Zone has lower security than the internet zone and I try to discourage putting any sites in that zone unless they are for an intranet you have set up. But that's your call.
- Status
Similar threads
Latest posts
-
AMD Radeon RX 5700 XT Revisit: How Does It Compare Against the 7700 XT?- i like foxes replied
