TechSpot

Virus? Running sluggish and freezes up. Logs attached

By heyben
Oct 25, 2009
  1. Not sure what's going on with my computer or Vista, any help would be appreciated. One thing I do have is the dreaded alert popup in task manager. I followed the 8 steps and have attached the logs.

    Thanks a million,
    Ben
     
  2. heyben

    heyben TS Rookie Topic Starter

    I would really be forever grateful if someone could please take a look at these logs and give me their opinion. I'm clueless about how to read them, maybe there's nothing there, but it would be a relief to know.

    Thanks so much in advance,

    Ben
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Ben. My apology for the delay- lots of systems with malware!

    Do you know what this entry is?
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve

    I had one other log with it yesterday- it was a Windows XP OS> That user didn't know what it was for. I can't identify anything in a search that would be appropriate for this category.

    Please reopen HijackThis to 'do system scan only' and check the following if present:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve (unless you are able to ID it)
    O15 - Trusted Zone: http://*.66.129.114.121
    O15 - Trusted Zone: http://*.Realfast2.com
    O15 - Trusted Zone: http://*.Realfast2go.com


    Close all Windows except HijackThis and click on "Fix Checked".

    I suggest you remove the 015 entries from the Trusted Zone. IF you did NOT place them there, let me know- there's a small program I'll have you run.

    Other than those entries, there's nothing significant in these logs.

    Please describe this pop-up for me.

    Question:
    How much RAM is installed. Vista needs a minimum of 2GB.


    For the freezes: Note the computer clock on the next freeze. Then check the Event Viewer to see if there is any Error that corresponds to that time. The site below will guide you through the event Viewer.

    Monitoring the Event Viewer in Vista


    Errors are time coded so copy any Errors for around the freeze time and paste them here. You do not need to include all the line below the Description.

    Run a full system scan with McAfee AV, save the log and attach it to next reply.

    Hopefully the above will help me know which path to follow next..
     
  4. heyben

    heyben TS Rookie Topic Starter

    Thanks so much for the response! I might have accidentally made some changes, so I reran the 8 steps and they found some additional trojans, etc. Logs attached (Again).

    All of the items you mentioned in the Hijack this were still present, so I just removed those. Exceptions being the two realfast entries, as they are part of a real estate contract software I use. I don't know what .66.129.114.121/ is/was

    The alert popup is visable in the task manager, and has an icon picture that appears to be two chain links. No idea what it is, and it is always there when I turn on the computer. I have noticed no ill effects from quiting the application from task manager, but can't find how to remove it permenantly. Doesn't show up in a search from the add/remove programs. I'm running Vista Home Premium SP2 with 2GB of ram installed


    Do you see anything in the latest set of logs to be concerned about? Thank you SO much for taking the time to look and reply, I really appreciate it.

    Regards,
    Ben
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The system is infected by the Smitfraud Trojan- or by another name, the Zlob Trojan. When it's installed, it will show fake notification messages that your computer is in danger- this is an attempt to get you to download a rogue security tool that you pay for in order to remove it . It may replace critical Windows components with files for the malware.

    The alert pop-up is most likely in the Taskbar rather than the Task Manager.

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  6. heyben

    heyben TS Rookie Topic Starter

    thanks for the quick response!
    I downloaded and unzipped, but can't get a log to appear.

    When I run it, it says access denied several times.
    When I run it as an administrator by right clicking, it says that process.exe file is missing.

    I deleted the file in my documents, then tried again with the same results.
    Thoughts?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My bad! URL isn't good and it's suppose to be combined with Mbam.

    Please run this instead:
    Download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  8. heyben

    heyben TS Rookie Topic Starter

    Hi Bobbye,

    Sorry for the delay in my response, and thanks again for all your help. Here's my combofix log. Would you mind taking a peek to see if there is anything else I need to do?

    Thanks,
    Ben
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Ben, spreading a cleaning out over 3 weeks with a 2 week gap at one point, isn't a good working resolution.

    Exactly what problems are you experiencing at this point.?We have not established if you have a malware problem, a system problem or some of both.

    I did notice the following in Combofix:
    2009-10-21 16:38 . 2009-10-21 16:40 -------- d-----w- c:\windows\system32\ca-ES
    2009-10-21 16:38 . 2009-10-21 16:39 -------- d-----w- c:\windows\system32\eu-ES
    2009-10-21 16:38 . 2009-10-21 16:39 -------- d-----w- c:\windows\system32\vi-VN
    2009-10-21 15:25 . 2009-10-21 15:25 -------- d-----w- c:\windows\system32\EventProviders

    I did identify eu-ES as related to http://packages.debian.org/search?keywords=apertium-eu-es
    apertium-eu-es >> this is a free operating system, Are you trying to run Debian in a Windows environment?

    'Event Providers' shows on that same date, but doing a search isn't very productive.



    The 4 entries you have in the Trusted Zone are legitimate. I was asking you to remove them from the Trusted Zone. The IP 66.129.114.121 is part of RealFast. The Trusted Zone has lower security than the internet zone and I try to discourage putting any sites in that zone unless they are for an intranet you have set up. But that's your call.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...