qimqim,

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

 

qimqim,

Thanks for your patience. I just want to get some history of what has been done either by you or a helper in this or another forum. I certainly don't want to make a bad situation worse.

In earlier message, and in continuation of another thread on another conmuter I started a thread stating that having tried ESET it had found a number of threats which i will mention at the end.

Do you have a link to this thread? I found this one

http://www.techsupportforum.com/forums/f50/eset-threats-748177.html​

Is this it? I want to make sure we are talking about your XP machine as I see you have also posted you Windows 7 machine as well.

http://www.techsupportforum.com/for...rum.com/forums/f50/slow-computer-uds-dangerous-object-multi-generic-738745.html​

Gmer found rootkit activity ... and I was unable to finish the scan

I would like to see that log. If you are having a problem getting a completed scan, please describe any error messages. You can try running a new scan in Safe Mode.

Having mentioned it, I'd thought I'd include the steps for accessing Safe Mode in XP. Excerpted from here.

Windows XP

Using the F8 Method:

1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.
5. Do whatever tasks you require and when you are done reboot to boot back into normal mode.

If you no longer have the file, you can download it again here

Download GMER​

Thanks for the ESET scan and what it detected. I will address those shortly but first I'd like to try and get a gmer scan to complete.

 

Hi DrDos

First, yes, the previous threads are the one syou mentioned.

I ran Gmer in safe Mode but forgot to check "Showall" or Drive C. It was a quick scan. When it finished, I started again by unchecking IAT/EAT, Quick scan, and checking C:\ and "Show all". It stopped after a long while when it was going through teh Registry (Software \Classes\SystemFileAssociations\potm is the last entry at the bottom.

A MS box came up stating that Gmar.exe had stopped and had to close. The information referred to Event Type: BEX; P1: Gmer.exe, P2 2.1. 19163.0. P3 515d31f0, etc...

I will send the ark.txt in afew minuted as I am writing from a different computer

 

here goes the log

 

qimqim,

Hi DrDos

First, yes, the previous threads are the one syou mentioned.

I ran Gmer in safe Mode but forgot to check "Showall" or Drive C. It was a quick scan. When it finished, I started again by unchecking IAT/EAT, Quick scan, and checking C:\ and "Show all". It stopped after a long while when it was going through teh Registry (Software \Classes\SystemFileAssociations\potm is the last entry at the bottom.

A MS box came up stating that Gmar.exe had stopped and had to close. The information referred to Event Type: BEX; P1: Gmer.exe, P2 2.1. 19163.0. P3 515d31f0, etc...

I will send the ark.txt in afew minuted as I am writing from a different computer

here goes the log

when I ran the scan on sections and C. drive it stopped after a while, It had done that before, and I was unable to finish the scan

Sounds like you may have run gmer properly but were you able to run it in Safe Mode with these same settings? I ask because your ark log shows registry entries which would normally be absent selecting only those two (2) options. Take another look at

http://www.techsupportforum.com/for.../new-instructions-read-this-before-posting-for-malware-removal-help-305963.html

and before you click on Scan, make sure you have selected the items shown in the screen shot following

Please note:

If (and only if) there are problems using gmer as indicated above, run the scan with ONLY the Sections and C drive boxes ticked.​

I would like to see this log because gmer had reported rootkit activity in an earlier scan. If you're still having troubles getting a scan to complete, can you capture a screenshot of gmer showing that rootkit activity? Also, we may not see that rootkit activity you mentioned running a scan in Safe Mode. I don't want to move forward until we've exhausted all attempts. (Oh. FYI "Show all" is not what we ever want.)


Thanks


From the ESET scan

C:\Documents and Settings\Administrador\Ambiente de trabalho\Setup Files\SoftonicDownloader_for_hitman.exe Win32/SoftonicDownloader.E application cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WiIQfraud7.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\Benfica\Application Data\Codec Pack Packages\uninstaller.exe Win32/InstallCore.AZ application cleaned by deleting - quarantined
C:\Documents and Settings\Benfica\Application Data\DSite\UpdateProc\UpdateTask.exe Win32/DownWare.E application cleaned by deleting - quarantined
C:\Documents and Settings\Benfica\Application Data\Mozilla\Firefox\Profiles\gceaq88n.default\extensions\plugin@getwebcake.com\content\overlay.js JS/Adware.Yontoo.C application cleaned by deleting - quarantined
C:\Documents and Settings\Oxana\Ambiente de trabalho\Camilo 2\SoftonicDownloader_for_driverscanner.exe Win32/SoftonicDownloader.E application cleaned by deleting - quarantined
C:\System Volume Information\_restore{4CBA5242-8E68-457E-93A6-D84E71567E17}\RP235\A0047464.exe probably a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined

Looks like a mixture of PUPs, Adware and a Bagle worm (which can be very nasty).

PUPs
Originally coined by Mcfee, this usually is a program that may be unwanted, despite the possibility that users consented to download it. They can include spyware, adware, and dialers, and are often downloaded in conjunction with a program (usually "free") that the user wants.

Adware
Adware is not necessarily malware. Legit programs use advertising as a way to promote other software in order to gain revenue. If the adverts are too prevailing then offending software can usually be uninstalled via the control panel using add/remove programs.

Worm
Worms are very similar to viruses except that worms have the ability to spread themselves without any intervention across networks or though security holes in the operating system. It is aimed at causing mass disruption on the computers that it infects.

You don't have to search the internet very hard to find definitions for these and others. A good way to help keep you safe is to never install software (especially the free kind) in the Express mode and install anything extra only if you want it.

This has a lot of useful information

So how did I get infected in the first place?​

Overall, do you feel your XP system is working as expected now?

 

Well, this time I did not get very far. I got a Blue screen too fast for me to raed it. I am attaching the error and the event viewer log.

It was done in normal mode. I am going to try again in safe mode.

To answer your question at the end> the system is very very slow!

 

I tried again safe mode. After a long time when it was going through the files and apparently about to finish the system switched off as it has done before.

There were some entries all about the registry to do with WmiApRpl in CurrentControlSet/Control/Video.

What shall I do now?

 

Is it possible that the system switched off for lack of activity, while in safe mode? if so, how could i get the system not to switch off? XP SP3

 

qimqim,

Since gmer hasn't worked for us and seemed to indicate rootkit activity, let's use a different anti-rootkit tool. I just want to make sure there's nothing lurking so we are just going to analyze first so if a rootkit is found, make sure you are selecting Skip and not Cure, which is the default.

This tool has recently changed: you have to accept a EULA to continue but another screen (optional) for the Kaspersky Security Network (KSN) Statement, which you can accept or decline. This statement is about uploading data for Kaspersky's analysis.


Download TDSSKiller.exe to your desktop from this link:

http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe​

• Execute TDSSKiller.exe by doubleclicking on it.
• Click Accept on the End User License Agreement.
• Click Accept or Decline on the KSN Statement
• Press Start Scan
• If Malicious objects are found, select Skip by changing the default Cure selection at the upper right
• Once complete, a log will be produced at the root drive which is typically C:\
• For example, C:\TDSSKiller.3.0.0.19_date_time_log.txt
• Attach that log, please.

 

Hi

The scan did not show anything. I am attaching the log.

I would still like to persevere with Gmer in case the computer switched off for lack of activity. How would I configure XP not to switch off?

Thanks for your help

 

I tried again in normal mode< this time in quick scan. First, immediately, abox came saying that Gmar had been stopped. Tries agaib and the blue screen came up with something like Page>fault. After that MS box came up saying it had recovered froma serious problem and needed info,

I only get these blue screens with Gmer.

 

qimqim,

As TDSS found nothing (it really works the same as gmer, just differently - your results with gmer will probably not change until whatever is going on with your system has been corrected) and there are no signs of malware in the logs you have submitted already, this may not be a malware related issue at all but a Software (some OS file) or a Hardware (anything installed recently?, loose chip or cable?) one.

Having said that, I'd like to refer you to a few TSF forums for further help. Please refer them to this post so they can see what has been done so far.

This Post​

Some other forums that may help

Windows XP Support

or

BSOD, App Crashes And Hangs​

How would I configure XP not to switch off?

I'm not aware that any OS does this by default. Check power settings (on Task Bar or Control Panel) or could be hardware related as each computer usually tries to protect itself (especially from overheating issues).


Let me know if I can be of any further assistance.

 

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum