PC slowing down. Log files attached

Status
Not open for further replies.
C

CrashTekk13

Posts: 20   +0
Hi guys! I hope you can help me.

Found win32.brontok virus during my scan with Mcafee a few days ago and it was automatically deleted. My PC started slowing down about 5 minutes after a reboot. I also randomly found shalom.exe in one of Application Data directory earlier today. Tried to scan it using Mcafee, PC Tools Spyware Doctor and Ad-Aware but doesn't flag it as a threat.

Here are my logs.
 
Logs look clean except a couple minor wheel spinners that we will get back to!

But to be sure do the below.

First cleanup! And deeply!

Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install) run analyze the click Clean.

Then only after above do the below!


Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike
 
Did you do the HJT before the cleanups??

Reboot and run the cleanups again in addition to the below!

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

Then do the below..

Clean and tweak services

In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

Nothing is un-installed or deleted only disabled from running!

They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

Disabled uses no memory (RAM) and no CPU cycles.
Manual uses the RAM but a small amount of CPU.
Auto and not started they use even more RAM and CPU.
Auto and started even more RAM and CPU ..

Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Fast User switching
Health Key and Certificate Management Service
Indexing service
Messenger
Net logon
Net.TCP Port Sharing
NetMeeting Remote Desktop Sharing
IPsec services
QoS RSVP
Remote Registry
Uninterruptable power supply
Universal Plug and play
Web Client
Windows media player Network Sharing

IF you are using a wired network card and "NOT" using wireless on this computer then you can
also disable

Wireless Zero configuration

Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

This is not to be confused with Wired Auto Config do not disable that!

The below bat file will do all of the above.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

Code: 
@echo off
sc config Alerter start= disabled
sc stop Alerter

sc config AeLookupSvc start= disabled
sc stop AeLookupSvc

sc config ClipBook start= disabled
sc stop ClipBook

sc config Dfs start= disabled
sc stop Dfs

sc config FastUserSwitchingCompatability start= disabled
sc stop FastUserSwitchingCompatability

sc config TrkWks start= disabled
sc stop TrkWks

sc config TrkSvr start= disabled
sc stop TrkSvr

sc config DNSCache start= disabled
sc stop DNSCache

sc config ERSvc start= disabled
sc stop ERSvc

sc config HidServ start= disabled
sc stop HidServ

sc config PolicyAgent start= disabled
sc stop PolicyAgent

sc config CiSvc start= disabled
sc stop CiSvc

sc config IsmServe start= disabled
sc stop IsmServ

sc config kdc start= disabled
sc stop kdc

sc config LicenseService start= disabled
sc stop LicenseService

sc config Messenger start= disabled
sc stop Messenger

sc config Netlogon start= disabled
sc stop Netlogon

sc config NetTcpPortSharing start= disabled
sc stop NetTcpPortSharing

sc config mnmsrvc start= disabled
sc stop mnmsrvc

sc config NetDDE start= disabled
sc stop NetDDE

sc config NetDDEdsdm start= disabled
sc stop NetDDEdsdm

sc config NtLmSsp start= disabled
sc stop NtLmSsp

sc config SysmonLog start= disabled
sc stop SysmonLog

sc config RSVP start= disabled
sc stop RSVP

sc config SSDPSRV start= disabled
sc stop SSDPSRV

sc config upnphost start= disabled
sc stop upnphost

sc config WMPNetworkSvc start= disabled
sc stop WMPNetworkSvc

sc config WmiApSrv start= disabled
sc stop WmiApSrv

sc config WmdmPmSN start= disabled
sc stop WmdmPmSN

sc config RemoteRegistry start= disabled
sc stop RemoteRegistry

sc config RemoteAccess start= disabled
sc stop RemoteAccess

sc config SCardSvr start= disabled
sc stop SCardSvr

sc config TlnSvr start= disabled
sc stop TlnSvr

sc config UPS start= disabled
sc stop UPS

sc config WebClient start= disabled
sc stop WebClient

sc config DNSCache start= disabled
sc stop DNSCache

sc config JavaQuickStarterService start= disabled
sc stop JavaQuickStarterService
sc delete JavaQuickStarterService
attrib -h -s -r /s c:\jqs.*
del /f /q /s c:\jqs.*

sc config RpcSs start= Automatic
sc start RpcSs

sc config RpLocator start= Automatic
sc start RpcLocator

sc config MSIServer start= Automatic
sc start MSIServer
exit
exit

Reboot and report how system is running!

Mike
 
Hi Mike,

I did the cleanup first then created restore point, cleared shadow copies, cleaned and tweak services, reboot, did cleanup again and ran HJT and combofix. Attached are the log files. I'm going to observe the behavior in the next few days.

Thanks again for your help!
 

Attachments

  • ComboFix.txt
    20.5 KB · Views: 5
HI Mike,

I've created a big DOH!.

I have gotten a new set of Trojans on my pc but McAfee is saying it's blocking it. How do I use and make sure that the restore point created earlier is ok to use at this point?

Thanks again for your help.
 
Hi Mike -

Thanks for all your help in this. Below are the steps i have taken:

I did system restore and then proceeded with the 8 steps as instructed. During McAfee scan (step 1) it found 11 instances of Artemis!915A05F38394 Trojan and 1 instance of DNSChanger!f trojan. Did CCleaner thriice on cleaner and twice on registry (until no issues were found). I then disabled real time monitoring programs on McAfee and AdAware. Updated and ran MBAM (mbam-log-2009-06-13 (00-15-28).txt), Updated and ran SuperAntiSpyware (SUPERAntiSpyware Scan Log - 06-13-2009 - 00-35-00.log), made sure JRE is up to date and then ran HJT (hijackthisstep7.log).

I then did deep clean by running CCleaner 3 times on Cleaner and 2 times on Registry (until no issues were found). Ran ATF-Cleaner at least 5 times until no files were found. Ran KCleaner. Downloaded ComboFix and got the log (combofixlog.txt). Ran HJT and got the log (hijackthisaftercombofix.log)

Thanks again.

Eugene
 
Hi Mike -

After the steps in my last post I did the following according to your instructions:

- created a new system restore point, ran disk cleanup to enable deletion of old restore points.
- cleaned and tweak services by running the script for the batch file
- run the cleanups again (ccleaner, ATF-cleaner, KCleaner)
- ran combofix and HJT (logs attached)

Thanks again for your help.

Eugene
 
Fantastic job! Everything looks clean!

OK so I don't trust McAfee so to be sure do the below.

D/L DrWeb Cureit : http://www.snapfiles.com/get/cureit.html

My thread closing below I highly recommend you read it carefully and do it all, some you already have done so no need to do those again now!

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://www.abelhadigital.com/2008/07/hostsman-3157-released.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike
 
Hi Mike -

I downloaded and ran DrWeb. However it crashed at about 75% of the way. Im getting Send to MS error- xtu45.exe has encountered a problem and needs to close. I ran McAfee and now detecting Artemis!915A05F38394 trojan with the following details:

File: C:\WINDOWS\PEV.exe
Process: C:\DOCUME~1\Eugene\LOCALS~1\Temp\RarSFX0\xtu45.exe
Process Description: C:\DOCUME~1\Eugene\LOCALS~1\Temp\RarSFX0\xtu45.exe

Again thanks for your help.

Eugene
 
Hi Eugene

Ok Update Mcafee, MBAM and SuperAntiSpyware.

Then boot to Safe Mode only.

Run first MBAM until clean, I think Quickscan will do it. Run again if it finds and removes anything. We need to see a clean log!

Then SAS Quickscan also same as MBAM till clean log!

Then Mcafee followed by Cureit.

This should give better results.

If anything above needs a reboot always back to Safe Mode!

Then back to normal mode and D/L ComboFix again and run and post log.

Mike
 
Hi Mike -

I tried running the steps above with no problems at all except for the last part. These are the steps I took:

- updated copy of MBAM, SAS, McAfee and DrWeb Cureit.
- rebooted to Safe Mode
- ran MBAM
- ran SAS
- ran McAfee
- ran DrWeb Cureit
- all result above were clean
- rebooted to Normal Mode and downloaded ComboFix
- ran ComboFix but got an error that my copy of ComboFix has been compromised and I may have gotten a "Virut". McAfee also flag two trojans at the same time.

I got my copy of combofix from here: https://www.techspot.com/downloads/5587-combofix.html

Thanks again for your help and your patience.

Eugene
 
The two instances found by McAfee are:

- Detection name: Artemis!915A05F38394 (Trojan)
File: C:\32788R22FWJFW\pev.exe
Process: C:\Documents and Settings\Eugene\Desktop\ComboFix.exe
Process Description: C:\Documents and Settings\Eugene\Desktop\ComboFix.exe

- Detection name: Artemis!915A05F38392 (Trojan)
File: C:\Windows\PEV.exe
Process: C:\WINDOWS\system32\cmd.execf
Process description: C:\WINDOWS\system32\cmd.execf

Thanks.
 
Oh you don't need that! Virut is a real nasty!

Get this done asap!

Download Grisoft Virut remover to desktop.
http://www.filecluster.com/download-link-0/82078.html

Next

Download the below to desktop
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixVirut.com

Then reboot to Safe Mode

Run rmvirut.exe

When it finishes run the FixVirut.com on the desktop. If the above requires a reboot then reboot back to Safe mode to run this one.

Post a new HJT log last!

Mike

EDIT:

When finished reboot to normal, redownload ComboFix (the link is clean) and rename ComboFix to 1cbf then run 1cbf get us the log!
 
Hi Mike,

I downloaded the two virut remover/utilities and rebooted to safe mode. I ran rmvirut.exe and it did not find any infected files. I ran fixvirut and it also did not find anything. Attached are the HJT and ComboFix log you requested.

Thanks again for all your help.

Eugene
 
Hi Crash

Good job!

Good we do not want to take any chances with Virut!

Thanks to Touch another member, here are some remainders I missed and that we need to handle

Create CFScript
COMBOFIX-Script
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Code: 
KILLALL::

File::
c:\documents and settings\Eugene\Application Data\Apple Computer\socks1.exe
c:\documents and settings\Eugene\Application Data\Creative\lego.exe
c:\documents and settings\Eugene\Application Data\Belkin\nomad.exe
c:\documents and settings\Eugene\Application Data\Ahead\rengo.dll
c:\documents and settings\Eugene\Application Data\dvdcss\msgdi.dll
c:\documents and settings\Eugene\Application Data\Adobe\shalom.exe
c:\documents and settings\Eugene\Application Data\FileZilla\kern.dll
Then drag this script and drop on top of ComboFix.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

When finished, it will create a log. Attach the log back to us.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

OK after posting the above ComboFix log and a new HJT log we may be finished so how is the computer running?

Mike
 
Hi Mike -

I ran the script for ComboFix and HJT. Logs attached.

Thanks so much for all your help. I hope this is it :)

Eugene
 
10-4 how is it running now?

You did a fantastic job!

Consider the following! Especially threatFire!

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike
 
Hi Mike -

It looks like everything's working ok now. I have downloaded and currently running the utilities you recommended. I will also save all these useful information for future reference.

Again, thank you so much for all the help.

Eugene
 
You did a great job!

I enjoyed helping you!

Note: If you use Hostman and lose access to a site you need then do the below.

I have clients that call me because they lost access to MySpace for example. Open Hostman click to edit Host file do a search for myspace and delete any line it finds with myspace in it.

Then in HostMan menu find exclusions and type in myspace.com and save MySpace no longer blocked. Don't forget to update Hostman every couple of weeks.

After you are used to Threatfire go into settings and Max the Sensitivity Level (looks like cell phone signal strength). This will make TF more wordy as it checkd deeper but once you approve and remember the good ones it will be quite until something bad is found OR and update changes something.

Mike
 
Hi Mike,

I would like to thank you again for helping me through this.

On a separate and ironic note, my wife's laptop has been infected just as I was finishing cleaning up my desktop. :dead: I will be posting the result of the 8 steps check later on a separate thread. You can now close this thread if you want.

Thanks again for all your help.

Eugene
 
Status
Not open for further replies.

Similar threads

S
Solved Windows Task Manager crashes after opening
2
Replies
32
Views
10K
Broni
Broni
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni
W
Solved HackTool:Wind32/Mailpassview found
Replies
10
Views
5K
Broni
Broni

Latest posts

Back