[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Computer still slow after removal of "Data-Recovery" Malware

Posted on 2011-09-25
14
Medium Priority
?
340 Views
Last Modified: 2012-05-12
I recently removed the Malware that infected my computer called Data Recovery. My computer is still responding extreamely slow. It's also playing music or radio station without any player running. (It's hearing things!!)

I ran Combofix on it. Can someone take a look at my log file for me please.  combofix.txt
0
Comment
Question by:Laballa1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 36596719
Detailed instructions for properly removing the "Data Recovery" variant are here:
http://www.bleepingcomputer.com/virus-removal/remove-data-recovery

If you have problems using the recommended rogue process stopper (Rkill) you can try using "RogueKiller" instead.

Details here: Rogue-Killer-What-a-great-name
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36597224
I assume that is a fresh download of combofix? If not then download a fresh copy and run it again.

You could also try running Kaspersky's virus removal tool.
http://www.kaspersky.com/antivirus-removal-tool?form=1
0
 

Author Comment

by:Laballa1
ID: 36598578
Yes, that was a fresh download of combo fix. I've ran McAffee anti-virus and it didn't report any problems. Do you think I should try again with Kaspersky?
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36598643
The system may still have some nasties that combofix didn't detect so I would try running Kaspersky virus removal or at least another scanner to check what the other scanners have missed.

You can also run OTL.exe, this one is a diagnostic tool and won't delete anything without a script but will generate a logfile that we can check.


Download OTL, save to Desktop or other convenient location.
http://oldtimer.geekstogo.com/OTL.exe
OTL does not need to be installed, simply click the OTL icon to run
Click the Quick Scan Button.
Post/attach the log here.
0
 

Author Comment

by:Laballa1
ID: 36601353
I ran OTL and attached the two logfiles that it generated.

I also re-ran Malwarebytes and it found two things and I had it fix them. I'm going to download Kaspersky now and run it if I can. It's sooooo slow.
OTL-Extras-Log.txt
OTL-Logfile.txt
0
 

Author Comment

by:Laballa1
ID: 36709108
I downloaded Kaspersky and attempted to run it. It required me to remove McAffee, after I did that Kaspersky would not run. It says checking the computer for threats before installing, and it does that for hours.
Is there a virus scan that I can run from the internet that doesn't require installation, that could possibly avoid the block that is causing Kaspersky not to install.
0
 

Author Comment

by:Laballa1
ID: 36817196
Do anyone else have any suggestions that could possibly help me?
0
 
LVL 9

Expert Comment

by:Ashok Dewan
ID: 36817231
Can you see the processes through task manager ?
0
 

Author Comment

by:Laballa1
ID: 36855760
Yes, I can see the processes.
0
 

Author Comment

by:Laballa1
ID: 36862967
Every scanner that I try to run crash. I've tried Norton Power Eraser, tdsskiller, Kaspersky, Malwarebytes, Clam Win AV, Trend Micro AV. I just don't know what to do.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 36891242
Apart from a lot of unneeded programs there can't see any obvious malicious entries, if there is then it's stealth maybe also try Gmer..


Also Run OTL to remove these ADS.
Under the Custom Scans/Fixes box at the bottom, paste in the following

----------------------------------------------------
:OTL
[2006/01/13 00:33:53 | 000,031,744 | ---- | C] () -- C:\Documents and Settings\Mrs. Hall\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
@Alternate Data Stream - 160 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C39E55C5
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

----------------------------------------------------

•Then click the Run Fix button at the top
•Let the program run unhindered, reboot the PC when it is done
•Open OTL again and click the Quick Scan button.


I'm curious and concern about this value(below) in BootExecute which combofix isn't able to read, that could be a bad value and if a scanner removes it unsuccessfully it will cause the PC to not boot.
BootExecute      REG_MULTI_SZ         autocheck autochk *\0?????


You can also try these free online scanners:
http://housecall.trendmicro.com/au/
http://go.eset.com/us/online-scanner
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36891268
For those programs that crashed, try running them by dragging them over the inherit.exe and see if they still crash. Try TDDSkiller first, if the crash are caused by some variant of ZA rootkit blocks, but then CF should've taken care of that if that was the case but worth a try.

Download inherit.exe by sUBs.
http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
Drag the program's executable file into the inherit.exe and wait for it to say OK.
0
 

Author Closing Comment

by:Laballa1
ID: 36902958
Thanks so much for all your help. After I ran the script in OTL, I ran TDSSKiller, and was then able to install and run McAffee. It found and removed some nasties. I think everything is working correctly now.

Again, Thanks.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36903180
Glad to know things are working correctly now.
Thanks.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how the use of a bunch of disparate tools requiring a lot of manual attention led to a series of unfortunate backup events for one company.
Employees depend heavily on their PCs, and new threats like ransomware make it even more critical to protect their important data.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question