Possible virus or malware???

[greg349]

This afternoon I downloaded a free program off the internet. I first scanned the files of the program with Nortan Internet Security's Custom Scan feature. Norton found nothing. After attempting to start the setup.exe file however, Norton detected several risks, blocking one and removing the other. I quickly permanently deleted all that had been downloaded, the folder and its freeware program. Norton said it needed to restart to finish resolving threats, so I restarted my computer. After doing this however, my computer started taking a long time to run applications that usually only took a few seconds for it to load and were crashing seemingly at random. I decided that I would open task manager to see if there was anything unusual going on. After looking through the list of processes, I noticed that certain programs like internet explorer, windows media player, mozilla firefox, and later on windows sidebar were taking abnormally very large amounts of kernal memory to run themselves. I decided to look through Norton's history, and I noticed that the setup file from the free program had made 12 changes to system registry files on my computer about the time I clicked on it. (Norton gives time info) So, this led me to believe, especially after reading a 2 years old or so article on this forum that sounded similar to my predicament, that there was some sort of virus or malware that had altered these files to make these programs run this way. I went to My Computer to see if I could use System Restore to go back to a restore point before I downloaded the software, but for some reason, System Restore was turned off. Over time these programs using unusually large amounts of memory keep using more and more memory until the program becomes noresponsive or crashes. For example, windows media player stops playing midsong. I was hoping, then, could you please help me identify my problem, and then direct me on how to fix it?

I was also wondering, if this is some sort of malware, could this spread, because it seemed like it might of spread to windows sidebar, or is it limited to just those 12 changes I think it made?

Additional Information:
I have Windows Vista Home Premium OS.
I have a Toshiba Satelite L305-S5909 with 4 GB RAM that I purchased several months ago.

Thanks in advance for any answers to this post.


I attached an example of the problem to this post.

[Ried]

Hello greg349,

I appreciate the time you took to write up this well detailed post. However, we need more than a description to ascertain whether or not malware is at play here.

Please follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.

**If you subscribe to this thread, you will be notified via e-mail when a reply is made. Click Thread Tools>Subscribe>Instant Notification

Also:

Quote:

NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already posted at another Forum, please advise us, or them, and choose just one.

If you've posted for help elsewhere, please let me know that now so I can move on to someone else.

[greg349]

Ok, I tried to use the DDS program, but it said that it was incompatible with 64-bit windows. The other program works, and I will post the results as soon as its scan is finished. Thanks.

[Ried]

64 bit systems are not compatible with most of our tools.

Use this instead:

Download OTListIt2 to your desktop.

• Double click the icon to start the tool.
• Click Run Scan and let the program run uninterrupted.

When the scan is complete, two text files will be created, OTListIt.Txt and Extras.txt, on Desktop. I only need the contents of the OTListIt.txt

[greg349]

Alright, thanks I'll try that. In the meantime, the GMER scan finished, and I'll attach the results to this post.

[greg349]

Alrght, the OTListIt program finished and produced the 2 files, just like you said. I attached the OTListIt.Txt file to this post. Thanks again.

[greg349]

one more thing-- I ran a full system scan with Norton Internet Security and all it came up with wasa tracking cookie, which it removed.

[Ried]

Please go to Virus Total

• Copy paste the following full path into the empty box under 'Upload a file'
  
  

  C:\Windows\ieseDagC.dll

• Click 'Send File'
  
  
• Copy/paste the results into Notepad and save it to your desktop.

Post those results in your next reply.

================================


If Virus Total found no threats, let's get the opinion of a different AV and see if it finds anything lurking about. It can take some time, so please be patient and allow it to run it's full course:

**Vista users - right click on the IE icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[greg349]

The results to the Virus Total scan are attached to this post.

[Ried]

Are you sure those are the results of the file you uploaded and not the file that was previously scannned at VT? The reason I am asking is because of this info:

Quote:

File ieseDagC.dll received on 04.12.2009 17:43:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 8/40 (20%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Did the automatic reload occur?

[greg349]

I'm not sure, but I ran the scan and got new results, and I'll attach them to this post. As for the Kasperky online scan, it wasn't working because internet explorer kept overloading because of the Kernel memory thing. For some reason, whatever it is stopped raising internet explorer's memory. However, I can still see the computer is running at a largely compromised speed, especially shown in task manager. So, since the Kaspersky scan is able to work now, I'll post the results when it finishes (it looks like its going to take a while).

[Ried]

Thank you, I appreciate your efforts. I'll await the Kaspersky results.

[greg349]

Thanks again for your help. Finally the Kaspersky scan is finished. I have attached the results of its scan to this post.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 13, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 64-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 13, 2009 03:36:29
Records in database: 2039470
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 289141
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 05:03:23


File name / Threat name / Threats count
C:\Downloads\divX Pro 7 (for windows).EXE Infected: Trojan.Win32.Agent.bktb 1
C:\Users\BenKlontz\AppData\Local\Temp\123.exe Infected: Trojan.Win32.TDSS.uvh 1
C:\Users\BenKlontz\AppData\Local\Temp\7zO806D.tmp\DivXInstaller.exe Infected: Trojan.Win32.Agent.bead 1
C:\Users\BenKlontz\AppData\Local\Temp\IXP000.TMP\DWONLO~1.EXE Infected: Trojan.Win32.Agent.bktb 1
C:\Users\BenKlontz\Music\My Library\Oldies Rock\Harry Connick Jr\Harry Connick Jr - Do You Know What It Means To Miss New Orleans.wma Infected: Trojan-Downloader.WMA.GetCodec.a 1

The selected area was scanned.

[greg349]

Ok, so I noticed that Kaspersky detected some things in a few places. If I deleted these things, would the viruses they contain also disappear? I would prefer not to delete them, although that is probably the easiest solution. Also, did the Virus Total Scan find anything that the Kaspersky scan did not?

[Ried]

Yes, it's imperative you delete all the files Kaspersky has flagged.

After doing so, reboot the system. If IE still is pegging usage, download HijackThis 2.0.2 to your desktop.
Alternate link

Double-click on the file you just downloaded. Click on the "Install" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you. Click on 'Do a System Scan Only'.

'Check' the following entry:

O4 - HKCU..\Run: [Cgudujepopepacu] rundll32.exe "C:\Windows\ieseDagC.dll",e

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Reboot your system.

How is it behaving now? Any improvement?

[greg349]

Ok, so I deleted everything Kaspersky said to delete, and rebooted my computer. Everything seemed good, for a while. Then things started acting weird again. I'll post several screen shots of task manager, so you can see. The amount of CPU (usage) keeps jumping up and down like crazy. When I first rebooted, the RAM usage was about 0.5 GB from what it was, but now it's back to where it was before. The kernel memory of internet explorer is way too high still. Also, what is TeaTimer.exe? It seems to be using way too much kernel memory also. I eneded the task TeaTimer.exe and it seemed not to effect anything. I posted an image of task manager of this in this post so you can take a look. I also included a multiple part list of all the processes on my computer so you could see if there was anything out of the ordinary. Could it be possible that the virus changed the actual program files of these programs so that they run this way? Windows media player and internet explorer continue to crash at random. Well, while I'm waiting for your reply, I'll run that other scanner and see if it can come up with anything that the Kaspersky scanner did not. Thanks again for all your help.

[greg349]

More screenshots.

[greg349]

--More screenshots 2-- --More screenshots 2-- --More screenshots 2--

[greg349]

--More screenshots 3-- --More screenshots 3-- --More screenshots 3--

[Ried]

Have you fixed that entry with HijackThis yet?