Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91981 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Slow and freezing computer [Closed]


  • This topic is locked This topic is locked
41 replies to this topic

#31 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,386 posts
  • Interests:LFC, music, more LFC, more music

Posted 21 June 2014 - 01:29 PM

Download/run Rkill:

Please download Rkill from one of the following links and save to your Desktop:

Link One
Link Two
Link Three
Link Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

You may have to make repeated attempts to use Rkill several times before it will run as some malware variants try to block it.

You'll be able to tell when rkill has done its job when your desktop (explorer.exe) cycles off and then on again.

Do not reboot your computer after running rkill as the malware programs will start again.

Please try ComboFix again.

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

    Advertisements

Register to Remove


#32 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 22 June 2014 - 12:23 PM

Okay, I ran rkill and below it the report.  I tried Combofix again and it did the same thing, only this time it froze the entire computer.

 

Rkill 2.6.7 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/21/2014 06:23:19 PM in x86 mode.
Windows Version: Windows Vista ™ Home Basic Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\.exe\shell found and deleted!
 
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1 localhost
  ::1 localhost
 
Program finished at: 06/21/2014 06:27:27 PM
Execution time: 0 hours(s), 4 minute(s), and 8 seconds(s)


#33 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,386 posts
  • Interests:LFC, music, more LFC, more music

Posted 22 June 2014 - 03:14 PM

Rkill found only one problem so let's run a full online scan to see if anything else is found.

Run ESET Online Scan

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

  • click the Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Scan archives and Remove found threats
  • click Advanced settings and select the following:


    o    Scan potentially unwanted applications
    o    Scan for potentially unsafe applications
    o    Enable Anti-Stealth technology
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    Note - if ESET doesn't find any threats, no report will be created.
  • push the back button.
  • push Finish

When the scan is complete:

If no threats were found:

o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found

If threats were found:

o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    Click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here.
 

Thanks

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#34 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 25 June 2014 - 10:50 AM

here is the log

 

 

C:\FRST\Quarantine\C\Users\rac\protect.dll.xBAD probably a variant of Win32/Opachki.A trojan
C:\ProgramData\InstallMate\{2CA1763F-539C-473D-A5D6-1BBEF74254C9}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{2CA1763F-539C-473D-A5D6-1BBEF74254C9}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\rac\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\rac\AppData\Local\Microsoft\Windows\TEMPOR~1\VIRTUA~1\C\Users\rac\protect.dll probably a variant of Win32/Opachki.A trojan
C:\Users\rac\Downloads\avc-free (1).exe Win32/OpenCandy potentially unsafe application
C:\Users\rac\Downloads\avc-free.exe Win32/OpenCandy potentially unsafe application
C:\Users\rac\Downloads\cbsidlm-cbsi183-ISO_Recorder_Windows_VistaWindows_7_32bit-SEO-10691825.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Users\rac\Downloads\FileZilla_3.7.4.1_win32-setup.exe a variant of Win32/Injected.F trojan
C:\Users\rac\Downloads\Php.Pro.Bid.v6.x.MODS.NULL.zip PHP/Obfuscated.D potentially unwanted application


#35 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,386 posts
  • Interests:LFC, music, more LFC, more music

Posted 25 June 2014 - 04:42 PM

Let’s get rid of what Eset found and then we’ll have another look because there are still a few things to check out.


Please copy all text in the code box below and paste it into Notepad:
 


@echo off
del /f /s /q "C:\ProgramData\InstallMate"
del /f /s /q "C:\Users\All Users\InstallMate"
del /f /s /q "C:\Users\rac\Downloads\avc-free (1).exe
del /f /s /q "C:\Users\rac\Downloads\avc-free.exe Win32"
del /f /s /q "C:\Users\rac\Downloads\cbsidlm-cbsi183-ISO_Recorder_Windows_VistaWindows_7_32bit-SEO-10691825.exe"
del /f /s /q "C:\Users\rac\Downloads\FileZilla_3.7.4.1_win32-setup.exe"
del /f /s /q "C:\Users\rac\Downloads\Php.Pro.Bid.v6.x.MODS.NULL.zip"
del %0
  • save the Notepad file to your desktop and name it delfiles.bat
  • save type as "All Files"
  • on your desktop, double-click on delfiles.bat to run it, (a black CMD window will flash, then disappear - this is normal).

Please run Eset again and post the result.

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#36 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 25 June 2014 - 09:07 PM

Okay.  Ran the delfile and redid the scan.  Here's the log:

 

C:\FRST\Quarantine\C\Users\rac\protect.dll.xBAD probably a variant of Win32/Opachki.A trojan
C:\ProgramData\InstallMate\{2CA1763F-539C-473D-A5D6-1BBEF74254C9}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{2CA1763F-539C-473D-A5D6-1BBEF74254C9}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\rac\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\rac\AppData\Local\Microsoft\Windows\TEMPOR~1\VIRTUA~1\C\Users\rac\protect.dll probably a variant of Win32/Opachki.A trojan
C:\Users\rac\Downloads\avc-free.exe Win32/OpenCandy potentially unsafe application
C:\Users\rac\Downloads\cbsidlm-cbsi183-ISO_Recorder_Windows_VistaWindows_7_32bit-SEO-10691825.exe a variant of Win32/CNETInstaller.B potentially unwanted application


#37 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,386 posts
  • Interests:LFC, music, more LFC, more music

Posted 26 June 2014 - 09:31 AM

Using Windows Explorer, (Windows key+E), locate and delete these folders/files:

C:\ProgramDataInstallMate
C:\Users\All Users\InstallMate


and in

C:\Users\rac\Downloads

delete these files:

avc-free.exe
cbsidlm-cbsi183-ISO_Recorder_Windows_VistaWindows_7_32bit-SEO-10691825.exe


Can you tell me if there are any outstanding problems.

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#38 Sarit

Sarit

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 28 June 2014 - 01:14 PM

Deleted the files, though the InstallMate under Users was not in the directory.  I did a search and couldn't find it anywhere else on the system.

 

It's running a lot faster now.  Chrome doesn't freeze every five minutes like it used it.  It does still do it sometimes, but nowhere near as much as before.



#39 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,386 posts
  • Interests:LFC, music, more LFC, more music

Posted 28 June 2014 - 03:24 PM

Please download SystemLook from the link below and save it to your Desktop.

SystemLook (32-bit)

  • double-click SystemLook.exe to run it.
  • copy the content of the following codebox into the main textfield - please make sure you include the colon, (:), at the beginning.:

    :filefind
    *InstallMate*
    
    :folderfind
    *InstallMate*
    
    :Regfind
    InstallMate
    
  • click the Look button to start the scan.
  • when finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

====================================================

Chrome has been known to cause problems and unnfortunately, the easiest way to deal with it is to uninstall and re-install it.

Uninstall Chrome and, if asked about user data or settings, remove those also.

Restart the computer and re-install Chrome


Send SystemLook.txt and once you have dealt with Chrome, let me know if there is a difference.

Satchfan
 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#40 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,386 posts
  • Interests:LFC, music, more LFC, more music

Posted 28 June 2014 - 03:25 PM

Please download SystemLook from the link below and save it to your Desktop.

SystemLook (32-bit)

  • double-click SystemLook.exe to run it.
  • copy the content of the following codebox into the main textfield - please make sure you include the colon, (:), at the beginning.:

    :filefind
    *InstallMate*
    
    :folderfind
    *InstallMate*
    
    :Regfind
    InstallMate
    
  • click the Look button to start the scan.
  • when finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

====================================================

Chrome has been known to cause problems and unnfortunately, the easiest way to deal with it is to uninstall and re-install it.

Uninstall Chrome and, if asked about user data or settings, remove those also.

Restart the computer and re-install Chrome


Send SystemLook.txt and once you have dealt with Chrome, let me know if there is a difference.

Satchfan
 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

    Advertisements

Register to Remove


#41 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,386 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 July 2014 - 03:27 PM

Hi Sarit

It has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Thanks

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#42 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,386 posts
  • Interests:LFC, music, more LFC, more music

Posted 03 July 2014 - 04:00 PM

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users