New
#1
Malware detected, clean now but comp still running poorly.
Good day everyone,
I'm not sure how it happened but last week I noticed my comp running incredibly slow, freezing up, programs malfunctioning, etc... I ran Anti-Malwarebytes and sure enough I had some Malware. Here is the initial Scan:
Malwarebytes Anti-Malware
Scan Date: 5/21/2015
Scan Time: 11:16:19 PM
Logfile:
Administrator: Yes
Version: 2.01.6.1022
Malware Database: v2015.05.21.04
Rootkit Database: v2015.05.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: bob
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 415725
Time Elapsed: 1 hr, 42 min, 2 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 1
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\WOW6432NODE\DataMngr, Quarantined, [e563d4c25c2e46f0ff700907986ce31d],
Registry Values: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3829630863-2373432100-1501377825-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\bob\AppData\Local\Apps\2.0\R36N6J7H.EL7\N5PKC76J.RMW\dell..tion_0f612f649c4a10af_0005.0008_ a4204ff54ae5d3ac\DellSystemDetect.exe, No Action By User, [88c05442ff8bca6c72a4da03cb38827e]
Registry Data: 0
(No malicious items detected)
Folders: 1
PUP.Optional.Delta.A, C:\Users\bob\AppData\LocalLow\Delta\delta, Quarantined, [ec5c4f478a00ef47271c36a3be45b14f],
Files: 4
PUP.Optional.Somoto.A, C:\Users\bob\AppData\Local\Temp\nswC086.tmp, Quarantined, [4305cec8b0da5dd9572692f07b8607f9],
PUP.Optional.Somoto, C:\Users\bob\AppData\Local\Temp\bitool.dll, Quarantined, [ea5e22743d4d88aeeb728c7fd82bce32],
Rogue.Link, C:\Users\bob\Favorites\MP3 download MyFreeMp3.eu.url, Quarantined, [86c276201f6bec4a64b81c4583817789],
PUP.Optional.GoForFiles.A, C:\Windows\System32\Tasks\GoforFilesUpdate, Quarantined, [311744526a20a294e9cb4b188a7b6d93],
Physical Sectors: 0
(No malicious items detected)
(end)
--------------------------------------------------------------------
I then ran CCleaner, Dr. Web Cureit and Anti Malware again. It came up clean but comp still running badly. Then ran AdwCleaner with these results:
# AdwCleaner v4.205 - Logfile created 23/05/2015 at 12:52:09
# Updated 21/05/2015 by Xplode
# Database : 2015-05-21.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : bob - BOB-PC
# Running from : G:\Bob\Programs from other Computer\AdwCleaner.exe
# Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Found : C:\Device
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\ProgramData\Tarma Installer
Folder Found : C:\Users\bob\AppData\Local\PackageAware
Folder Found : C:\Users\bob\AppData\LocalLow\Delta
Folder Found : C:\Users\bob\AppData\Roaming\goforfiles
Folder Found : C:\Users\bob\Documents\Updater
***** [ Scheduled tasks ] *****
Task Found : GoforFilesUpdate
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\928cdebd35bd49
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\GoforFiles
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\GoforFiles
Key Found : [x64] HKCU\Software\Softonic
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Babylon
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\GoforFiles
Key Found : HKLM\SOFTWARE\PIP
Key Found : [x64] HKLM\SOFTWARE\Tarma Installer
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17496
-\\ Mozilla Firefox v38.0.1 (x86 en-US)
*************************
I then ran Junkware Removal Tool. It found some things as well. Sorry I didn't save the log. Then ran AntiMalwarebytes again, then Hitman Pro. Did all of the above again and was coming up clean. Comp was still running badly. Ran Emsisoft Anti-Malware and came up clean. Then ran RKill, here's the log:
Rkill 2.7.0 by Lawrence Abrams (Grinler)
Program started at: 05/26/2015 02:38:43 PM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* Base Filtering Engine (BFE) is not Running.
Startup Type set to: Automatic
* DHCP Client (Dhcp) is not Running.
Startup Type set to: Automatic
* DNS Client (Dnscache) is not Running.
Startup Type set to: Automatic
* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Automatic
* Windows Firewall (MpsSvc) is not Running.
Startup Type set to: Automatic
* Network Connections (Netman) is not Running.
Startup Type set to: Manual
* Network Store Interface Service (nsi) is not Running.
Startup Type set to: Automatic
* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic (Delayed Start)
* Windows Update (wuauserv) is not Running.
Startup Type set to: Automatic (Delayed Start)
* Ancillary Function Driver for Winsock (AFD) is not Running.
Startup Type set to: System
* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual
* NetBT (NetBT) is not Running.
Startup Type set to: System
* NSI proxy service driver. (nsiproxy) is not Running.
Startup Type set to: System
* NetIO Legacy TDI Support Driver (tdx) is not Running.
Startup Type set to: System
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* No issues found.
Program finished at: 05/26/2015 02:44:39 PM
Execution time: 0 hours(s), 5 minute(s), and 55 seconds(s)
------------------------------------------------------
Then ran FixExec and SuperAntiSpyware. Came up clean. Ran TDSS Killer, I have the log but it is VERY long. Should I post the whole thing? I then ran RogueKiller, here is that log:
RogueKiller V10.7.0.0 [May 25 2015] by Adlice Software
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : bob [Administrator]
Started from : C:\Users\bob\Desktop\RogueKiller.exe
Mode : Scan -- Date : 05/27/2015 14:21:22
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 40 ¤¤¤
[PUM.Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Found
[PUM.Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077} -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} : Canon Easy-WebPrint EX -> Found
[PUM.Orphan] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {47833539-D0C5-4125-9FA8-0819E2EAAC93} : -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStart Menu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStart Menu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStart Menu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStart Menu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3829630863-2373432100-1501377825-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3829630863-2373432100-1501377825-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3829630863-2373432100-1501377825-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3829630863-2373432100-1501377825-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPane l | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPane l | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPane l | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPane l | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3829630863-2373432100-1501377825-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-3829630863-2373432100-1501377825-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3829630863-2373432100-1501377825-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-3829630863-2373432100-1501377825-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \\4488 -- wscript.exe (C:\Users\bob\AppData\Local\Temp\launchie.vbs //B) -> Found
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEVT-75A23T0 +++++
--- User ---
[MBR] a4d23e1f3c9f6ab870ac71a947ecc07a
[BSP] dea9defa67a18cc486b8c709b2ee22f0 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 208845 | Size: 15000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30928845 | Size: 290142 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
============================================
I then ran OTL by Oldtimer, again the log is extremely long so I was not sure how to proceed. All of this was done in Safe Mode by the way. For the most part it seems to be coming up clean but it's still not running correctly. Browser freezes up, programs randomly freeze up, simply right clicking on something will take 3 minutes to go through. Then randomly it'll run fine for an hour or so. Any help on how to proceed would be extremely appreciated. Thank you so much