Malware infestation causing CPU to run at 100% continually.

[Alien_Galaxy]

I came across this message in a readme.txt file. It was in D:\PerfLogs\System\Diagnostics\20110905-0001 along with other files such as "UAC Settings", "User Accounts", "BIOS", "AntiVirusProduct", "AntiSpywareProduct", "FirewallProduct", "Startup Programs", "Startup Settings", "Processes", etc. It sounded really suspicious to me.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!--This file is automatically generated.-->
<DataCladFileStore>
<Message>This directory is being used as an AutoBackup File Store. MODIFYING OR DELETING ANYTHING IN HERE WILL CAUSE IRREPARABLE DAMAGE TO YOUR BACKUPS. DON'T DO IT!</Message>
<Version>2.5.0.0</Version>
<BuildVersion>4.60.0.7916</BuildVersion>
<BuildType>sgm</BuildType>
<eSellerID>STR4043462256</eSellerID>
<ProductType>autobackup</ProductType>
<Lang>en-US</Lang>
<OwnerToken>D95BFF1B08BBE08FE33702A48633B346</OwnerToken>
<EncryptionKey />
</DataCladFileStore>

At the time I posted this thread, I was running a rootkit scan with Spybot, so I was unable to run the AdwCleaner, FRST, and aswMBR scan logs and attach them, but I will run them as soon as Spybot finishes.

 

[TwinHeadedEagle]

Hi, when you finish, follow this topic and attach requested reports --> http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/

 

[Alien_Galaxy]

Hi, I hope it was alright that I ran these scans in safe mode. I wasn't sure if it mattered, so I thought I would just mention it.

 

[TwinHeadedEagle]

Hi,


Let's run another tool:


1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

 

[Alien_Galaxy]

Should there be more than 1 log report?
I have already noted a huge improvement in speed and CPU usage has returned to normal.

P.S. I spoke to Alienware today on my other computer. According to them, it sounds like the only option I have is reinstalling Windows, but I'm not sure how they plan to do that when no drives are reading any data.

 

[TwinHeadedEagle]

We need one more check:


Open notepad and copy/paste the text present inside the code box below:
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Driver::
AID
LD

ClearJavaCache::

Save this as CFScript.txt

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

***** NEXT *****​

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file

and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
• mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see 'Success: Database was successfully updated' click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:
- 'Could not load protection driver'. Click 'OK'.
- 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution ...
- When you see "press any key to exit" fix is completed, press any key to close the window. Reboot the system.


> The following reports will be created in mbar folder:
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

 

[Alien_Galaxy]

Here are the requested log reports...

 

[TwinHeadedEagle]

PC is clean, any problem?

 

[Alien_Galaxy]

It is clean?? Hmmmm...that's strange, it's back to running at 100% again.It was good up until... I think maybe it was when I opened a VLC media file on my desktop. There was a file that I didn't recognize/recall, so I opened it to see what it was but no media played, and it was after that when I noticed my system had slowed down again and CPU usage went back up to 100%. I scanned the file on virus total, but it came up clean. Is it possible that we may have missed something? Or maybe I triggered something to run by opening that VLC file?

 

[TwinHeadedEagle]

You should not open it. Re-run FRST again and attach fresh reports.

 

[Alien_Galaxy]

Here are the fresh reports from the FRST scan:

 

[TwinHeadedEagle]

Seems clean to me. Do you still experience the problem?

 

[Alien_Galaxy]

Attached is a log of a scheduled scan that SpyBot did after we thought the PC was clean. Things did seem to be running a little better for a while but they are back to being very slow and there is still a very high CPU usage (between 75-95% generally). Still some odd behavior like Firefox browser settings get reset with each new session. There's a line across the middle of my screen that does not go away. It stays there regardless of what program I open and does not move. Also, is it normal for a document & settings folder and a recycle bin folder to be locked (access denied)? Is there another kind of scan we could do because I have a feeling there is something else.

 

[TwinHeadedEagle]

Please forget about Spybot (I really don't know where you find this product?). This product is outdated and not maintained regularly. It is much better to use MalwareBytes for example, that keeps pace with new threats.


Please download zoek.zip or zoek.rar by smeenk (

) from here or here and save it to your Desktop.
Unpack the archive...

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
  
  

  createsrpoint;
  autoclean;
  emptyalltemp;
  emptyclsid;
  ipconfig /flushdns;b
  emptyfolderscheck;delete

• Click on
  
  button.
  Please wait until a logreport will open (this can be after reboot)
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"

 

[Alien_Galaxy]

I did get Zoek run but I am having problems with an internet connection in order to post the result logs. You see, I had ran Emsisoft HiJackFree and was looking through the services running. About 106 of the services are described as LogiGuard (posing as Microsoft system services), so I disabled them (only the ones that were already stopped). I am hesitant to re-enable them though because they may be the cause of all my trouble. But if I don't re-enable them, I suspect I will continue to not have a internet connection. I was going to send you some print screens of my findings too. What do you suggest I do? Is Emsisoft a reliable program, as I noted what you said about the SpyBot software?

 

[TwinHeadedEagle]

Please, don't use any tool on your own and follow my instructions.

 

[Alien_Galaxy]

Here is the Zoek results log. I will try to get you the print screens I mentioned earlier.

 

[Alien_Galaxy]

Here are those print screens. I had to zip them because they were .rtf documents. I hope you will be able to view them okay.

 

[TwinHeadedEagle]

Don't beleive in everything you see, there is no such infections on your PC. Let's run ComboFix one more time



1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

 

[Alien_Galaxy]

So, how do I know what results to believe and what software programs to trust? Some websites will highly recommend their favorite software while another website will recommend others. You get a different opinion everywhere you search, so it's very hard to know which one (website, software, information, etc.) is actually the best or most reliable/truthful. I wish there was one site that you could go to, that was like a bible for computers, where you could depend on the information in it. :-(