Slow browser, slow internet, random audio ads: virus?

[Tienjt]

So yeah, I've these problems for the past couple days. My browsers (Opera and Firefox) used to load pages quickly, but now they're painfully slow. Opera lags and freezes often; Firefox doesn't, but it still takes a very long time to load pages.

I'm also getting these occasional "invisible ads," even when I don't have a browser open. I can hear the ads but I can't see them.

Also, I sometimes get redirected to unwanted sites. This mostly happens when I click on a search result in Google.

Here are some things I've done:

-Ran SUPERantispyware (I can post the log(s) if needed)
-Defragged hard drive
-Cleaned cache, cookies, etc. on both browsers

 

[solarmystic]

Hello Tienjt,

Scan your computer again, this time using Microsoft Security Essentials and Malwarebytes Anti Malware as posted in the links below:-

Download CCleaner to get rid of temp files - it will make the antivirus scans go faster
Download CCleaner 3.20.1750 - FileHippo.com

Download Microsoft Security Essentials (MSE) from here:
Microsoft Security Essentials - Free Antivirus for Windows

Download the updates for MSE from here:
Install the latest Microsoft Security Essentials definition updates - Get the latest definitions - Microsoft Malware Protection Center

Download malwarebytes from here:
Download Malwarebytes Anti-Malware 1.62 - FileHippo.com

And the malwarebytes updates from here:
http://data.mbamupdates.com/tools/mbam-rules.exe

Provide feedback when you can. Thank you.

 

[Tienjt]

Hi solarmystic, thanks for replying.

Ran CCleaner.

Just ran MSE - no threats found.

Ran MalwareBytes - no threats found. I also ran MalwareBytes a couple days ago but it didn't fix the problem, even though it removed two threats. I'll post that log below.

----

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.07.13.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
owner :: OWNER-VAIO [administrator]

Protection: Disabled

7/12/2012 11:39:32 PM
mbam-log-2012-07-12 (23-39-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213067
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[tman69]

is possible that you picked up a 'roofkit'

here's a link to a useful utility to scan for and remove rootkits

How To - Remove threats - Free Removal Tools - Blacklight | F-Secure

 

[Tienjt]

Hi tman,

I downloaded Blacklight, but it looks like it isn't compatible with Windows 7.

 

[tman69]

oops sorry--I run it on my XP machine--I will see if I can find a win7 vers

here is a link to many rootkit removers--you'll have to decide which to try

http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm#Quick_Selection_Guide

it appears that some work and some don't

 

[Tienjt]

Hmmm, for some reason none of the files I downloaded will open. I tried opening the .exe files for Dr.Web Fixit, TSDDKiller, and Avast!, but no luck. Is the malware preventing me from opening them or something?

 

[tman69]

this may help kill any running processes

Rkill - Repair Tool of the Week - Technibble

also you could try starting your machine in 'safe mode' and then you may be able to launch the program(s)

 

[Tienjt]

Ran Rkill (as a .com file) - it didn't find anything.

The antirootkit files I downloaded still won't open (even in Safe Mode), but other .exe files work (Guild Wars setup, for example). I did manage to get Dr.Web Cureit running, but it didn't detect any threats.

And just as an update, I'm still experiencing the problems I mentioned in my original post - Google results redirecting me to unwanted sites, laggy/slow Opera browser, and slow-to-load Firefox browser.

 

[Layback Bear]

Read through these.
What is Windows Defender Offline?

http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html

 

[Tienjt]

Hi Layback,

I assume you wanted me to download WDO and run the full scan, so I did just that. It found 8 threats and removed them... kind of. The progress bar for the threat removal (not the actual scan) froze 3/4 of the way through, so I had to restart the laptop and run the scan again. That time it only found 3 threats, and again it froze when trying to remove them.

I'm not sure if the other 4 threats were removed with the first scan, or if they managed to avoid detection. Either way, my browsers and internet are still slow. I don't want to say that the audio ads are gone yet, but I haven't heard any for a while.

 

[Layback Bear]

How long are these scans taking? Is your computer freezing or does the scan just stop? The computer might be overheating. In you previous post MAM removed a Potentially Unwanted Modification (PUM). . Because of all the scan with various programs you have done make sure at the present time the only ones on your computer now are MSE and MAM. Remove all other anti programs before doing anything else. Remove all P2P and torrent programs. Then reboot.
Then run sfc /scannow again and see if it picks up anything. Let us know of any changes.

 

[Tienjt]

A full scan with WDO takes about an hour. It's not the scan that stops; the actual process of removing the threats does. The progress bar advances quickly at first, but slows down and completely stops about 3/4 through. I let it sit there for 30 minutes, but it wouldn't continue. Same thing happened with the second scan. The laptop itself didn't freeze.

I'll reboot and run sfc later.

Update: Removed all AV programs except for MSE and MalwareBytes and rebooted (I don't have any P2P/torrent programs afaik). Ran sfc /scannow in an elevated command prompt but no integrity violations were found.

Opera is still hanging/freezing, and Firefox still loads pages very slowly. Google is still redirecting me to weird sites (like cigarpuma.com) Haven't had any audio ads so far though.

 

[Borg 386]

It found 8 threats and removed them... kind of.

Do you remember what the name of the threats that Defender found?

Another tool that you can try is Norton power Eraser, this is an on-demand scanner like Malwarebytes:

http://security.symantec.com/nbrt/npe.aspx

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully. If you accidently remove a legitimate program, you can run Norton Power Eraser to review past repair sessions and undo them.

Also, you may want to flush your DNS cache. See this thread, post #5 and follow the procedure Jacee has posted:

http://www.sevenforums.com/system-s...d-dns-cache-poisoning-attack.html#post1656931

 

[Jacee]

Sounds like the "whistler bootkit"

Please see this article Whistler Bootkit – a new powerful Windows bootkit - NoVirusThanks Blog
also
http://labs.bitdefender.com/2011/11/whistler-bootkit-flies-under-the-radar/

 

[Borg 386]

The fun never ends Jacee....:sarc:...too many bootkits/rootkits lately.

Found the link to BitDefender's tool which it says removes this virus.

Bootkit Removal Tool - BitDefender Forum

Your best/safest bet would be a clean install.

http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

 

[Jacee]

I would also recommend a wipe and clean install.

 

[Tienjt]

I don't remember the names of the threats, though I think all of them included the word "Java."

If a clean installation of Windows 7 is the best option, then I think I'll do that. I'm kinda tired of running all these scans, and I want to be able to use my laptop safely again. I'll run the bootkit removal tool now.

Oh, and I believe Win7 came pre-installed on my laptop (there's a COA sticker with the product key on the bottom of the laptop), so I don't have an installation CD or whatever. Any options?

 

[Borg 386]

You have two options. Have a look at this post:

http://www.sevenforums.com/news/206...-discs-how-get-replacement-media-legally.html

Or, you can do a factory restore, provided there is a recovery partition on your laptop. Most come with this, you'll have to Google how to do it on your particular PC.

A Factory restore will reset it to how you got it out of the box, meaning all your personal files will be gone. Back up your personal files on the media of your choice and scan them carefully before putting them on your clean PC, as you may re-introduce the virus if one of your files is infected.

You can submit files here, up to 32 MB, to be scanned by several AV engines:

https://www.virustotal.com/

 

[Tienjt]

Well, I just restored my laptop to factory settings, and everything seems to be back to normal! Thanks for the help guys! If there's anything I should do to prevent that nasty thing from implanting itself in my system again (aside from using an antivirus and using common sense), please let me know!