Slow pc even after removal Trojan

[Jintan]

That was cut into four parts, but still pretty awkward to post. For any other logs, if needed, you can leave out all those repeated files listed as changed on 9-23.


To answer an earlier question you asked, the HijackThis online analyzers are not always accurate, and only provide general information. So are more informational than actually used for any changes or decisions. However, I am not a supporter of either those free Iolo or Iobit softwares you have installed there. Too often their use results in problems more than corrections. But your choice on those.

The log shows you have the Ask Toolbar installed, which is related to adware/spyware  - made by the same vendor that makes the MyWebSearch adware/spyware (see here and here).

This was likely brought to the system By SpySweeper, which now includes it as part of it's own installation. See our sister site's info here for all the softwares that install Ask. You can remove it through Add/Remove Programs, but might reconsider using any softwares like SpySweeper that add adware to a user's system.

---------------

But right now the logs also show an autorun malware infection there, so let's start some repairs.


The malware has included an autorun type component, so if any external drives have been used on this computer recently be sure to install them now, and leave them installed until ALL repairs on it are completed. If not, they will remain infected and can re-infect the computer (or others).


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{474804c2-a83b-11de-8f3a-001bfc6de1aa}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdb0ee4e-a84a-11de-8c9e-001bfc6de1aa}]

Open Notepad (Start - Run, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

-----------------

Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

[chiquitan]

Just before i received your latest answer I was actually doing a scan with Malawarebytes. The result is two malware; see log below.

I’ll print the instructions before doing the repairs, otherwise I’ll get lost in the whole process because it seems quite complicated.

As far as the Ask toolbar is concerned, I never use it. I checked when it was installed. The Ask toolbar (26 October) was not installed on the same date as SpySweeper (29 September) so the source of adware installed should not be SpySweeper, although I’m not satisfied with this programme either.

As far as I am concerned, SpySweeper has NEVER found or removed any spyware from my pc, only cookies (and every day the same ones). The only antispyware programme that found something (one Trojan and adware) was SuperAntispyware, which removed them. However, all the problems still remain.

I complained about the above to Webroot but of course they denied it. However, SpySweeper is not a programme which is not considered as rogue by the website Spyware Warrior (http://www.spywarewarrior.com/rogue_anti-spyware.htm). I think the Ask toolbar must have rather been installed while installing IE 08 (Google Toolbar, Yahoo toolbar, …) or some other plug-in.

A few questions:

1) Which antispyware programmes do you finally recommend ?
2) And which antivirus programme do you personally use ?
3) Idem for junk file removers
4) and registry cleaners ?

5) Can I already perform a scan with Combofix now or do I have to implement the other repairs first ?

6) Just out of curiousity: which part of the world do you live in ? :rolleyes:


This is the Malwarebytes log file:

Malwarebytes' Anti-Malware 1.41
Database versie: 2936
Windows 6.0.6002 Service Pack 2

8/11/2009 20:59:22
mbam-log-2009-11-08 (20-59-10).txt

Scan type: Volledige Scan (C:\|)
Objecten gescand: 248914
Verstreken tijd: 2 hour(s), 46 minute(s), 12 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 2
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

[Jintan]

"Geen kwaadaardige" I live in the eastern USA, but I lived in Neerpelt in België when I was younger and in the military. A long time ago.

We can discuss security software, but first let's make sure all malware is removed. Remember, be sure that any flash/thumb/usb drives that had been used on this computer recently are now installed, and stay installed until I let you know the malware has been removed.

Go ahead now if you would and do the steps I posted, and let's see the results.

[chiquitan]

I was abroad for a couple of weeks and couldn’t implement the instructions as mentioned below. Actually, they seem quite complicated.

I tried the instructions below but it doesn’t seem to work. Or at least, nothing seems to happen. My Windows Vista is in Dutch. Hence, I’ll explain what I exactly did:

I clicked on START.
I clicked on the icon “Kladblok” and opened it.
I copied the (complete) text inside the box (REGEDIT 4 + registry keys) and pasted it into the open Notepad textbox.
Saved it under Bestandsnaam as “fixer.reg” (including the quotes) and chose in “Opslaan als” the option “Alle bestanden” instead of “Tekstdocumenten”. I saved it on my Desktop. However, the quotes are (obviously) not accepted when I save the file; consequently, the file name is only Fixer (without the quotes).
When I right click on it, I chose “Samenvoegen” (Merge). The Fixer file simply opens and I can see the text which I saved earlier.

But then, what next … because no information “merges” with the Registry.

Did I do something wrong ?

[Jintan]

Before I forget again, if you click on the Calendar of Updates link in the MalwareCrypt General forums, you will be taken to our sister site's update info calendar, which also shows this "Products with Ask Toolbar" info. So regardless of anything else Webroot does include and install Ask (was one of the very first "security" softwares to do that).


For that fixer.reg file, save what you copied to Notepad by that name, but also in the "Save as type" dropdown change that to "All files". Then it should be a true .reg file and allow a merge with the Registry.

Then regardless if that is successful this time go ahead and the ComboFix step please.

[chiquitan]

[Jintan]

Let's see if fixing the .reg file commands will correct the missing Merge option. ComboFix only located/removed that one item, so let's do a scan to verify the earlier autorun setting was just a remnant there.

Download System Repair Engineer. Use the Local Download button to download sreng2.zip.

Extract (unzip) it to it's own folder on your Desktop, then double click SREngLdr.exe to run it.

When the display opens, click the "System Repair" icon in the left hand column.

Under the first "File Association" tab it will have already placed checkmarks in the boxes next to file associations it sees as incorrect. Don't make any changes, and just click Repair. The display will flicker briefly, and then the results should reflect all are "Normal".

You will see many other options to use this tool for, but unless you truly know what they are indicating and what changes System Repair Engineer might make it is really not something you should try in any way (and a reason why I tend to avoid providing this repair tool).

Then see if you can Merge that reg file you created.

---------------

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready.  Next, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start.  This scan may take a while, so please be patient.  A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.

[chiquitan]

Still didn't manage to 'Merge' that reg file (I really don’t understand what you mean by that). So I left it out.
Did the System Repair until all the results were ‘Normal’.
Scanned with Eset Online and no threats were found.
Hence, the log file I found was only two lines long.
See log file here below:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

We don’t seem to find anything specific. It’s the whole system which doesn’t run normally anymore, esp. the registry. I will have to reinstall all my programs anyway because there are still 3 registry keys missing which I wiped out mistakenly thru System Mechanic (I forgot to ‘exclude’ these keys from being erased in the Infineon programme module). As well as plenty of other weird things which cannot be solved by the scans or other procedures. For instance, my Windows firewall which can not be activated anymore. And even my VOIP programmes that get affected. Also each time I want to open a new internet page, I get it in ‘miniature’ form, i.e. it doesn’t open completely until I click on it.

I’ll choose another antivirus, antispyware and firewall programme (ESET Smart Security 4) and will not install SpySweeper anymore. I could also opt for AVG Anti-Virus Free Edition + ZoneAlarm firewall + antispyware programme but I’m not so keen on the ‘Allow’ popups of ZoneAlarm each time one wants to open a new IE page.

Could you please tell me what are your favourite trustworthy programmes (antivirus, firewall, antispyware, …) because this is at least the fourth time I’m reinstalling everything …

Finally, I’d like to switch to Linux Ubuntu one day. However, how do you do this ?

I attended a short seminar on it but haven’t read all the documentation yet. I have now two partitions on my hard disk, i.e. the C: (programmes) and D: (data). Can I already install Linux now (without uninstalling Windows Vista) and once it is installed wipe out Windows Vista (but how do you uninstall Vista ?). Or do I necessarily need to make a new partition with for instance Norton Partition Magic ? I also learned how to do it, but that was already more than three years ago (and all my documentation is in my home country).

By the way, is everything what is stated about rogue software correct and trustworthy ? See : http://www.spywarewarrior.com/

[Jintan]

Q&A time here, ey?

I received the SREng log via email. Really matches what already shows in these logs posted, with only the Ask Toolbar as any unwanted software still there. That Spyware Warrior site really has not been updated in quite some time for much of what shows there. Good info, but no longer current.

If you check the "Self-contained registry scripts" part here, you will get an understanding of what we are wanting to do with "merging" that .reg file.

The Ubuntu version of Linux is free (they will send you a copy), and they also have guidelines here on setting up that dual boot you are considering. Better to review those before trying to think through if you need to change or partition anything anew there.

As for security softwares, those that are shown here are some I know to be trustworthy and have excellent track records. And some sites in #2 there provide a more current look at softwares than those at Spyware Warrior.