Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer getting slower with malware + just got Interenet Security 201


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,024 posts
  • MVP
Running Combofix a second time is fine. In fact that is the recommendation with your bug. This is the latest version of Zero Access. (And the first time I have run across it - aren't you lucky!)

I think we will be OK after you do the stuff in post #11 http://www.geekstogo...ost__p__2323584
  • 0

Advertisements


#17
labrat51

labrat51

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
========= FILES ==========
File\Folder C:\Users\labrat51\AppData\Local\Google\Desktop\Install not found.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: labrat51
->Flash cache emptied: 492 bytes

User: Public

User: UpdatusUser
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: labrat51
->Java cache emptied: 0 bytes

User: Public

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 08172013_174602
  • 0

#18
labrat51

labrat51

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
"Run aswMBR again (pause your anti-virus and right click on aswmbr.exe and Run As Admin) but this time change it from quickscan to C:\ before you start the scan."

I do not see where to change from quickscan to C:\ in aswmbr.

The only buttons that I see are "scan", "fixMBR", "save log", and "exit"
  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,024 posts
  • MVP
Look in the bottom left where it says a-v scan: Quickscan. If you click on the down arrow to the right of the box with Quickscan it should offer c:\ as an option.
  • 0

#20
labrat51

labrat51

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
In awsMBR, I do not see anything "a-v scan" in the bottom left - Only where to uncheck "Trace disc IO calls"?
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,024 posts
  • MVP
OK. Just run it again the way you did last time and let's see if Zero Access is still there. In the meantime I will download it and test aswMBR again to see if they have changed the program.

Going off line for a couple of hours. Have to run into town.

Let's try ESET:

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.
  • 0

#22
labrat51

labrat51

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
C:\Qoobox\Quarantine\C\Users\labrat51\iexplore.exe.vir a variant of Win32/Kryptik.BIFO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\labrat51\AppData\Local\Google\Desktop\Install\{77e41e80-6433-0103-1fc7-73b573d9910e}\C3C1~1\01C8~1\CFFE~1\{77e41e80-6433-0103-1fc7-73b573d9910e}\U\[email protected] Win32/Conedex.D trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\labrat51\AppData\Local\Google\Desktop\Install\{77e41e80-6433-0103-1fc7-73b573d9910e}\C3C1~1\01C8~1\CFFE~1\{77e41e80-6433-0103-1fc7-73b573d9910e}\U\[email protected] Win32/Conedex.T trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\labrat51\AppData\Local\Google\Desktop\Install\{77e41e80-6433-0103-1fc7-73b573d9910e}\C3C1~1\01C8~1\CFFE~1\{77e41e80-6433-0103-1fc7-73b573d9910e}\U\[email protected] Win32/Conedex.E trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\labrat51\AppData\Local\Google\Desktop\Install\{77e41e80-6433-0103-1fc7-73b573d9910e}\C3C1~1\01C8~1\CFFE~1\{77e41e80-6433-0103-1fc7-73b573d9910e}\U\[email protected] Win32/Sirefef.FA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\labrat51\AppData\Local\Google\Desktop\Install\{77e41e80-6433-0103-1fc7-73b573d9910e}\C3C1~1\01C8~1\CFFE~1\{77e41e80-6433-0103-1fc7-73b573d9910e}\U\[email protected] probably a variant of Win32/Sirefef.FV trojan cleaned by deleting - quarantined
C:\Users\labrat51\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\3F1B2AB5-00001B6D.eml HTML/TrojanDownloader.Agent.NBW.Gen trojan cleaned by deleting - quarantined
C:\Users\labrat51\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\46C14FC6-000077DF.eml HTML/Phishing.Agent.A trojan cleaned by deleting - quarantined
C:\Users\labrat51\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\00294823-00000A5B.eml HTML/Phishing.Agent.A trojan cleaned by deleting - quarantined






aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-17 18:31:48
-----------------------------
18:31:48.101 OS Version: Windows 6.0.6002 Service Pack 2
18:31:48.101 Number of processors: 1 586 0x7F02
18:31:48.101 ComputerName: LABRAT51-PC UserName: labrat51
18:31:49.226 Initialize success
19:14:41.133 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
19:14:41.133 Disk 0 Vendor: Hitachi_ ST2O Size: 305245MB BusType: 3
19:14:41.227 Disk 0 MBR read successfully
19:14:41.227 Disk 0 MBR scan
19:14:41.227 Disk 0 unknown MBR code
19:14:41.242 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
19:14:41.258 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 291931 MB offset 27265024
19:14:41.258 Disk 0 scanning sectors +625140400
19:14:41.398 Disk 0 scanning C:\Windows\system32\drivers
19:14:46.889 Service scanning
19:15:06.998 Modules scanning
19:15:34.703 Scan finished successfully
19:20:29.060 Disk 0 MBR has been saved successfully to "C:\Users\labrat51\Downloads\MBR.dat"
19:20:29.060 The log file has been saved successfully to "C:\Users\labrat51\Downloads\aswMBR.txt2.txt"
  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,024 posts
  • MVP
Looks like Combofix got it. Qoobox is where it puts things it removes.

aswMBR is not showing it any more.


I downloaded aswMBR and the AV Scan option is still there in the bottom left:

[attachment=66069:aswmbr.jpg]

Don't think we need it tho since ESET didn't find anything that wasn't in Qoobox or hadn't already been deleted.

How is it running now?

Did you run sfc /scannow? Did it finish without complaint?

Let's see if we can fix some of your errors:

Open Computer Management. (Right click on (My) Computer and select Manage (Continue)
- Go to Local Users and Groups -> Users
- Doubleclick UpdatusUser
- Uncheck User must change password at next logon
- Check User cannot change password
- Check Password never expires
- Click OK
- Search for Services.msc when it finds it right click and Run As Admin.
- Scroll down to "NVIDIA Update Service Daemon"
- Click Start. It should start without error.

You do not have the latest Java.
First go into Control Panel, Add/Remove Software (XP) or Programs and Features (Vista/Win 7) and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 5
Java™ 6 Update 7

Java has been very vulnerable to infection so unless you absolutely need it you should not reinstall it.

If you feel you must have Java:
Get the latest Java at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.
Once installed, go into Control Panel, Java, Security and set the slider to the Highest then OK.

(If you also want the 64 bit version then use the 64 bit version of IE to get it.)

You have a bad install of Windows Works. It's stuck and not working right. Try Windows Repair All in One:


http://www.tweaking....all_in_one.html

You can run it (right click and Run as admin) with the boxes checked in the example.


Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.
  • 0

#24
labrat51

labrat51

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
"How is it running now?" It seems like it is running much better and faster.

"Did you run sfc /scannow? Did it finish without complaint?" I just ran it again and it said - Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in CBS.Log
  • 0

#25
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,024 posts
  • MVP
Copy the next two lines:

findstr /c:"[SR]" \windows\logs\cbs\cbs.log > \windows\logs\cbs\junk.txt
notepad \windows\logs\cbs\junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear.
Hit Enter. Notepad should open. Copy and paste the text from notepad.

This is Vista so hopefully it will just be the usual .ini files that it is complaining about.

Also need for you to


Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


Need to make sure Zero Access hasn't broken anything.
  • 0

Advertisements


#26
labrat51

labrat51

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here is the aswMBR run scanning C: instead of quick scan. I will continue the rest of the items in the post tomorrow after I get off work. I really appreciate all of your help. Everything is running much faster.



aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-18 08:27:49
-----------------------------
08:27:49.344 OS Version: Windows 6.0.6002 Service Pack 2
08:27:49.344 Number of processors: 1 586 0x7F02
08:27:49.344 ComputerName: LABRAT51-PC UserName: labrat51
08:27:50.483 Initialize success
08:44:00.295 AVAST engine defs: 13081800
08:49:21.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
08:49:21.671 Disk 0 Vendor: Hitachi_ ST2O Size: 305245MB BusType: 3
08:49:21.780 Disk 0 MBR read successfully
08:49:21.796 Disk 0 MBR scan
08:49:21.796 Disk 0 unknown MBR code
08:49:21.796 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
08:49:21.827 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 291931 MB offset 27265024
08:49:21.827 Disk 0 scanning sectors +625140400
08:49:22.014 Disk 0 scanning C:\Windows\system32\drivers
08:49:31.764 Service scanning
08:50:03.354 Modules scanning
08:50:28.189 Disk 0 trace - called modules:
08:50:28.220 ntkrnlpa.exe CLASSPNP.SYS disk.sys storport.sys hal.dll nvstor32.sys
08:50:28.236 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b6ea968]
08:50:28.236 3 CLASSPNP.SYS[8f39f8b3] -> nt!IofCallDriver -> \Device\00000057[0x8a3d18f0]
08:50:29.468 AVAST engine scan C:\
15:57:34.691 Scan finished successfully
16:37:36.155 Disk 0 MBR has been saved successfully to "C:\Users\labrat51\Downloads\MBR.dat"
16:37:36.171 The log file has been saved successfully to "C:\Users\labrat51\Downloads\aswMBR_C.txt"
  • 0

#27
labrat51

labrat51

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I performed the following functions, but did not see Local Users and Groups:

Open Computer Management. (Right click on (My) Computer and select Manage (Continue)
- Go to Local Users and Groups -> Users
  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,024 posts
  • MVP
Sorry about that. Vista doesn't appear to have that option in the Computer Menu but you should still be able to bring it up this way:

1. Open the Start menu, and type lusrmgr.msc in the search line and wait for it to find it. Right click on it and Run As Admin.

2. If prompted by UAC, click on Continue.
  • 0

#29
labrat51

labrat51

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I followed your instructions and a window popped up saying "This computer is running Windows Vista Home Premium. This snapin may not be used with this version of Windows. To manage user accounts for this computer, use the User Accounts tool in the Control Panel.
  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,024 posts
  • MVP
Well we tried. You can look in the Control Panel under User Accounts but you probably won't find UpdatusUser

See if you can find a newer version of your NVIDIA software. Either on the PC maker's website or on NVIDIA http://www.nvidia.co...aspx?lang=en-us
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP