Malware infestation causing CPU to run at 100% continually.

[Alien_Galaxy]

I noticed that my symptoms are pretty much nonexistent when I am in safe mode, but when I return to regular mode, that's when all my problems return. I got to thinking that I had ran that last ComboFix scan in safe mode (and possibly the one before it as well), so I thought I should run the ComboFix scan in regular mode, but when I went to do that I got a message from ComboFix saying that it was unable to continue because something was detected and that I would have to run a rootkit first before continuing. Would the logs appear differently if a program is run in safe mode?

 

[TwinHeadedEagle]

Skip ComboFix and download this tool:


Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

• Press Start Scan
• If Suspicious object is detected, the default action will be Skip, click on Continue.
• If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

 

[Alien_Galaxy]

FYI: This scan was run in regular mode - NOT in safe mode. Let me know if you need it ran in safe mode instead.

 

[TwinHeadedEagle]

Try to run ComboFix again, but try to capture if something strange happens, some message or similar.

 

[Alien_Galaxy]

The print screen messages are strange because I did not have my antivirus program running at the time. I made sure to shut off everything (ESET, SpyBot, Windows Firewall, Windows Defender, etc.). When I looked at the task manager, it only showed 1 ESET service (NOT process) running, so I tried to go through administrative tools/services to disable or stop it, but the stop option was not available, which I thought was very weird, and when I tried to disable it, I got a message saying "access denied" (even though I was signed on under my administrator account). What are your thoughts on this?

 

[TwinHeadedEagle]

Please go to: VirusTotal

• Click the Choose File button.
• Please copy/paste the following text into the 'File name:' box:
  
  

  c:\windows\system32\drivers\126F5530.sys

• Click Open then click the Scan it! button just below.
• This will scan the file. Please be patient.
• If you get a message saying File already analyzed: click Reanalyse
• Once scanned, copy and paste the URL from your browser address bar in your next reply.

 

[Alien_Galaxy]

Strange things are happening... I went to open up my browser (Firefox) to do what you asked me to, and 'it' opened up about 20 sessions of Firefox. I tried to open ESET, and although the icon is displayed on my system tray, when I try to open it, I get this message: "Error communicating with kernel". When I have tried to sign into Malware Tips, I repeatedly get error messages (started happening yesterday). I'm using another old piece of crap computer (that has just been wiped clean, so at least no malware on it) to communicate with you.

https://www.virustotal.com/en/file/...ad36435569d97e95fba66164/analysis/1398411614/

 

[TwinHeadedEagle]

First we will remove ESET, we will install it later:

ESET uninstall tool --> http://download.eset.com/special/eset_av_remover.exe

***** NEXT *****​

Open notepad and copy/paste the text present inside the code box below:
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Driver::
SRYRWDXZK

File::
c:\users\Tanya\AppData\Local\Temp\SRYRWDXZK.exe
c:\windows\system32\drivers\udcqtdbu.sys
c:\windows\system32\drivers\avdkvsra.sys
c:\windows\system32\drivers\ONJXZJVP.SYS

Folder::
c:\programdata\AVAST Software
c:\program files\Common Files\Bitdefender

ClearJavaCache::

Save this as CFScript.txt

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

 

[Alien_Galaxy]

I have got ESET uninstalled. I had to end up doing a manual uninstall because the other one didn't work right. I haven't had a chance to do any more than that because I was away all day. I picked up the Alienware laptop at the repair shop so I will finally have something malware-free and fast to use, and will be able to get the rest done tomorrow. When doing my uninstall of ESET, the instructions include deleting some particular files, but I did not find them. Instead I came across a file called ESETOImarikOImascoCleaner.sys and was curious about whether it was legitimate or not?

 

[TwinHeadedEagle]

Why uninstaller I give you won't work?

 

[Alien_Galaxy]

No it didn't. It appeared to work at the start, but once it got to the end of the uninstall, it gave me an error message saying that the uninstall was not successful (or something like that). So, I went to the ESET website and downloaded their manual uninstaller and followed their instructions for that process. I've had to do this once before in the past when I was doing an update to a newer version of ESET.

 

[TwinHeadedEagle]

Ok, can you follow my instructions now?

 

[Alien_Galaxy]

I am attempting to do that.

 

[Alien_Galaxy]

I am running ComboFix right now, so I should have something to you very shortly.

 

[Alien_Galaxy]

Here is the ComboFix log. I also attached the ESET log report after my uninstall just in case you think there might be some problems with it.

I am just wondering if any of these logs show results for the D:\ drive? The reason I'm asking is because I never use that drive, and I don't understand why there are duplicates of the exact same pictures, videos, music, etc. as I have saved on my C:\ drive. Another thing that is odd is the fact that there are programs listed there that I would NEVER install on my computer (i.e. Itunes). I absolutely hate Itunes with a passion. I'm fairly sure that Itunes would have to be specifically downloaded by the user. There's also an install listed for a Logitech Quickcam, which we do not own because all of our laptops in our home have built-in webcams. There's an application file for uTorrent, which I got rid of ages ago. By the way, ESET is also still on this drive, which I just did a complete uninstall of. It's like a duplicate copy of the C:\ drive, but with a bunch of added crap. I noticed that the Recovery folder, Windows Defender folder, Config.Msi, and a few other folders have have locks on them. I don't know if this means anything to you, but I thought I would mention it anyway.

 

[TwinHeadedEagle]

Anything that you don't need, you can delete. I do not understand fully is this your PC or what? About other drive, do you have some backup software running? PC appears clean, tell me do you have some issues?

Also, re-run FRST, check Addition.txt, press Scan and attach both fresh reports.

 

[Alien_Galaxy]

Yes, it is my computer, but I haven't used it since I got my Alienware (about 2 or so years ago), so it's hard to remember what programs I had used way back then. I don't believe any backup software is running, as my husband had us networked to one external hard drive that we backed up to. I don't really know much about that. The computer seems to be running okay at the moment. I've been looking through the D:\ drive some more and there is an HP file, and it is appears to be for a keyboard driver. My computer is a Dell XPS M2010 http://www.google.ca/imgres?imgurl=http%3A%2F%2Fwww.engadget.com%2Fmedia%2F2006%2F05%2FDell-XPS-M2010.jpg&imgrefurl=http%3A%2F%2Fwww.engadget.com%2F2006%2F05%2F31%2Fdell-xps-m2010-gets-official%2F&h=332&w=407&tbnid=f4IEe0eZKqQXxM%3A&zoom=1&docid=TJgnnYdWNRrYSM&ei=97BeU5vrJtWvyASsi4J4&tbm=isch&client=firefox-a&ved=0CHQQMygRMBE&iact=rc&uact=3&dur=5107&page=1&start=0&ndsp=25 which you can see uses a specific custom fit bluetooth keyboard, and would therefore need specific drivers. I guess I never really looked too closely at all the program file folders before until now, and now that I am, I'm seeing a lot of stuff that is very questionable. The more I see, the more I am thinking it might be better to do a reformat and clean reinstall of Windows, and not to waste anymore of your time. :-(

 

[Alien_Galaxy]

Here are the fresh reports from FRST:

 

[TwinHeadedEagle]

Reports look clean, you are malware free now...

The more I see, the more I am thinking it might be better to do a reformat and clean reinstall of Windows, and not to waste anymore of your time. :-(

I did what I could, now it is up to you to decide. If your PC is working good, there is no reason to reformat, but you should bring someone with good computing knowledge to give you advice what to do. I am limited here...


• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

 

[Alien_Galaxy]

Well, it is definitely running much better. I will ask my brother about my concerns with the D:\ drive, as he has good computing knowledge (being an I.T. manager). Is there anywhere on this forum where there is advice on which security or malware software is trustworthy and reliable? Utilities software?