Virus badly infected

Solved/Closed
verns87
Posts
7
Registration date
Friday December 23, 2011
Status
Member
Last seen
January 5, 2012
- Jan 2, 2012 at 04:40 PM
Ambucias
Posts
47366
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
- Jan 6, 2012 at 04:35 AM
Hello,



I was working with Ambucias last week, but haven't been able to update recently. I have a virus and at first when I started windows normally, it would not bring up any icons or taskbar, and ctl+alt+del would not work either. I then did a few things suggested by Ambucias, however still the same thing happened. I then pulled up the boot options on a reboot and restored windows to the last known good configuration. Now I can get into windows and get the task manager, however it is very slow and when I try to start a new task it just freezes. I can pull up a new task manager, but same result. Any suggestions?

13 replies

Ambucias
Posts
47366
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,315
Jan 3, 2012 at 05:57 AM
Hello Vern

I thought that you had thrown in the towel.

System restoration was an excellent idea!

A sluggish system is much easier to fix than the problem you had before, only be able to boot in safe mode.

Did you flush the contents of the prefetch folder as I had asked you? If not, please do so. (As I recall, it contained over 50 infected files)

Do you wish to send me another ZHP Diag log to see what is in there now?
0
verns87
Posts
7
Registration date
Friday December 23, 2011
Status
Member
Last seen
January 5, 2012

Jan 3, 2012 at 07:41 AM
I forget...what is the prefetch folder?

Here is a new log.
http://speedy.sh/pjsn8/ZHPDiag.txt
0
Ambucias
Posts
47366
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,315
Jan 3, 2012 at 04:26 PM
You are (I mean your system) still infected with adware, rogue etc.

The rollback to a previous date reinstalled Spybot and installed Tea Timer which will certainly come in conflict with you main Antivirus and chew on your ram and make your system sluggish. One antivirus scanning engine is quite sufficient. The same goes for Avast. If you paid for Malwarebyte, I suggest you keep only that one.

1. Open Explorer and in the left pane, go down to Windows and search for a folder called "prefetch". Click on that folder. All that you see in the right pane is malware. Select all files and delete them.

2. Empty your recycle bin.

I am not sure that you are sending me a updated log.

Please remove all of ZHP Diag using the add/remove program utility. Redownload ZHP Diag and send me a brand spanking new log.

While you in the add/remove program utility, you may remove the extra antivirus programs you have.

Catch you tomorrow morning 5AM Illinois time.
0
verns87
Posts
7
Registration date
Friday December 23, 2011
Status
Member
Last seen
January 5, 2012

Jan 3, 2012 at 05:32 PM
Ok, I deleted the contents of the prefetch folder...as well as any other antivirus program, other than MBAM (I did not pay for MBAM), but I went ahead and deleted Avast for now, just in case it was a cause of the problem. I then uninstalled and then re-downloaded ZHP and here is a new log.

http://speedy.sh/bmM4U/ZHPDiag.txt
0

Didn't find the answer you are looking for?

Ask a question
verns87
Posts
7
Registration date
Friday December 23, 2011
Status
Member
Last seen
January 5, 2012

Jan 3, 2012 at 05:39 PM
Success!!!

I restarted in normal mode and after starting up a bit slow everything is working. I am currently running MBAM again and will then just wait to see what you have to say before I restart to see if it works again (not sure if this might be a one time thing or not). But something must have done it...whether it was the prefetch, or deleting AVAST or whatever. I am sure it is far from free of virus/malware but it's a start!
0
Ambucias
Posts
47366
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,315
Jan 4, 2012 at 04:38 AM
Hi Success, so far yes, but not for long.

The log shows multiple infections including a rogue and a Trojan Horse called Tracur.

Let me know what MBAM found and deleted.

We will see after and we will use ZHP Fix.
0
verns87
Posts
7
Registration date
Friday December 23, 2011
Status
Member
Last seen
January 5, 2012

Jan 4, 2012 at 07:00 AM
MBAM didn't find anything.
0
Ambucias
Posts
47366
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,315
Jan 4, 2012 at 04:16 PM
On your desktop, click on ZHP Fix.

Once it's open, click on the big H (which means Hospital Help)

1. Copy the following and paste in the main screen.
2. Click on Go
3. Close ZHP Fix
4. Send me a new log but please make sure, before you generate a new log that all previous logs have been deleted from your system.

Here is what to copy and paste

M3 - MFPP: Plugins - [Tyler] -- C:\Program Files\Mozilla FireFox\searchplugins\bing-zugo.xml[HKCU\Software\Ask.com] [HKCU\Software\AskToolbar]
O68 - StartMenuInternet: <IEXPLORE.EXE> <Internet Explorer>[HKLM\..\Shell\open\Command] (...) -- C:\DOCUME~1\Tyler\LOCALS~1\Temp\0.9308806720922289.exe (.not file.)
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.AboutPrivacyUrl", "http://www.conduit.com");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.CTID", "CT2720081")
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.CurrentServerDate", "18-9-2010
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.DialogsAlignMode", "LTR");)
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.DownloadReferralCookieData",
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.EMailNotifierPollDate", "Sat Sep 18 2010 12:04:34 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedLastCount129248891425073064", 80);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedPollDate129225116238185771", "Sat Sep 18 2010 11:57:25 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedPollDate129225147492879732", "Sat Sep 18 2010 11:57:25 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedPollDate129245643951202078", "Sat Sep 18 2010 11:57:25 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedPollDate129245643951202084", "Sat Sep 18 2010 11:57:25 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedTTL129225116238185771", 40);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedTTL129225147492879732", 40);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedTTL129245643951202078", 40);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FeedTTL129245643951202084", 40);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FirstServerDate", "18-9-2010");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FirstTime", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FirstTimeFF3", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FirstTimeSettingsDone", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.FixPageNotFoundErrors", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.GroupingServerCheckInterval", 1440);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.GroupingServiceUrl", "http://grouping.services.conduit.com/");O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.Initialize", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.InitializeCommonPrefs", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.InstallationAndCookieDataSentCount", 1);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.InstallationType", "UnknownIntegration");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.InstalledDate", "Sat Sep 18 2010 11:57:24 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.InvalidateCache", false);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.IsGrouping", false);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.IsMulticommunity", false);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.IsOpenThankYouPage", false);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.IsOpenUninstallPage", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.LanguagePackLastCheckTime", "Sat Sep 18 2010 11:57:26 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.LanguagePackReloadIntervalMM", 1440);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.LanguagePackServiceUrl", "http://translation.users.conduit.com/Translation.ashx");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.LastLogin_2.7.2.0", "Sat Sep 18 2010 11:57:25 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.LatestVersion", "2.7.2.0");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.Locale", "en");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.LoginCache", 4);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.MCDetectTooltipHeight", "83");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.MCDetectTooltipUrl", "http://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.MCDetectTooltipWidth", "295");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioIsPodcast", false);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioLastCheckTime", "Sat Sep 18 2010 11:57:27 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioLastUpdateIPServer", "3");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioLastUpdateServer", "129248947734170000"); =>
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioMediaID", "21079850");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioMediaType", "Media Player");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioMenuSelectedID", "EBRadioMenu_CT272008121079850"); O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioStationName", "AHL%20-%20Grand%20Rapids%20Griffins");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.RadioStationURL", "http://cdncon.wm.llnwd.net/cdncon_neulion1_ahl_griffins?eid=2037&pid=2037&gid=101]]");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.SearchInNewTabEnabled", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.SearchInNewTabIntervalMM", 1440);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.SearchInNewTabLastCheckTime", "Sat Sep 18 2010 11:57:26 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.SearchInNewTabServiceUrl", "http://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.SearchInNewTabUsageUrl", "http://Usage.Hosting.conduit-services.com/UsageService.asmx/UsersRequests?
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.SettingsLastCheckTime", "Sat Sep 18 2010 11:57:24 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.SettingsLastUpdate", "1284635544");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.ThirdPartyComponentsInterval", 504);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.ThirdPartyComponentsLastCheck", "Sat Sep 18 2010 11:57:23 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.ThirdPartyComponentsLastUpdate", "1246790578");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.TrusteLinkUrl", "http://www.truste.org/pvr.php?page=validate&softwareProgramId=101&sealid=112");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.UserID", "UN63401295221016158");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.WeatherNetwork", "");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.WeatherPollDate", "Sat Sep 18 2010 11:57:26 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.WeatherUnit", "F");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.alertChannelId", "1112366");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.clientLogIsEnabled", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.clientLogServiceUrl", "http://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.myStuffEnabled", true);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.myStuffPublihserMinWidth", 400);
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.myStuffSearchUrl", "http://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CT2720081.myStuffServiceUrl", "http://mystuff.conduit-services.com/MyStuffService.ashx?
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CommunityToolbar.ToolbarsList", "CT2720081"); => Infection BT (Possible)
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CommunityToolbar.ToolbarsList2", "CT2720081");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Sat Sep 18 2010 11:57:26 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CommunityToolbar.twitter.user_14293310.LastCheckTime", "Sat Sep 18 2010 11:57:27 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CommunityToolbar.twitter.user_2557521.LastCheckTime", "Sat Sep 18 2010 11:57:27 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CommunityToolbar.twitter.user_428333.LastCheckTime", "Sat Sep 18 2010 11:57:27 GMT-0500 (Central Daylight Time)");
O69 - SBI: prefs.js [Tyler - yem2jtmo.default] user_pref("CommunityToolbar.twitter.user_807095.LastCheckTime", "Sat Sep 18 2010 11:57:27 GMT-0500 (Central Daylight Time)");
O69 - SBI: SearchScopes [HKCU] {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} - (Search the web (Babylon)) - http://search.babylon.com [HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ecdf796-c2dc-4d79-a620-cce0c0a66cc9}] => Infection BT (Adware.MyWebSearch)
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF]

SS - | Demand 1/3/2012 6144 | (MEMSWEEP2) . (.Sophos Plc.) - C:\WINDOWS\system32\3.tmp
0
verns87
Posts
7
Registration date
Friday December 23, 2011
Status
Member
Last seen
January 5, 2012

Jan 4, 2012 at 09:43 PM
Did the following. Here are the two logs. The first is the fixlog after running ZHPFix
The second log is the ZHP diag report (I made sure it was the new one)

http://speedy.sh/vXNNr/ZHPFixReport.txt

http://speedy.sh/kqPPv/ZHPDiag.txt
0
ashu44
Posts
17
Registration date
Friday December 9, 2011
Status
Member
Last seen
January 5, 2012
4
Jan 5, 2012 at 01:37 AM
Thanx Ambucias bro your sharing is very useful.....
0
Ambucias
Posts
47366
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,315
Jan 5, 2012 at 05:01 AM
Thank God for small mercies we are almost there.

No more rogues and all Trojan Horses have been sent to the glue factory.

There is only two minor bugs called Bt or browser helper object infections which may redirect your browser to unwanted sites and possibly reinfect your system with more damaging stuff.

The following instructions should conclude my intervention.

PHASE ONE

1. Open Explorer
2. Left pane, find "ask.com" or asknow
3. Click on that file and delete it
4. Again in program files, find and delete: Mozilla FireFox\searchplugins\bing-zugo.xml
5. Delete this useless file:
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
6. Delete:
C:\Program Files\Conduit

It seems that you have listening to the radio, that application and the corresponding files in your browser favorites should be deleted.

PHASE TWO

1. You really don't need Net Framework which is used to develop software. It takes useless space on your disk.

Go to your control panel, add/remove software, and delete it.

2. Do the same for these applications:

Crawler Spyware Terminator
Malwarebyte

3. Reinstall Avast NOW and update

PHASE THREE

download, install and run this totally free yet very efficient registry cleaner :

https://ccm.net/download/download-13339-eusing-free-registry-cleaner

Delete all items found. (in you case there may several hundreds)

PHASE FOUR

1. Create a new restore point, you may name it "Kioskea" or Ambucias;-)
(all programs, tool, Restore)

PHASE FIVE (LAST)

Now, for a better performance you must defragment your disk

Download, install and run this defragmenting utility.

https://ccm.net/download/download-1454-defraggler

That's it, you're on your way to heaven...and don't take any wodden nickels.
0
verns87
Posts
7
Registration date
Friday December 23, 2011
Status
Member
Last seen
January 5, 2012

Jan 5, 2012 at 05:07 PM
Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you!!!!

I can't tell you how much I appreciate it. I never thought that this would be fixable without reformatting!!!!!

You are a true computer genius!
0
Ambucias
Posts
47366
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,315
Jan 6, 2012 at 04:35 AM
You are making me blush! You are most welcome!

Two last pieces of advice. Whenever download an application, before launching it, click right on the icon and scan for viruses; it's not 100% but it sometimes helps.

Avast is not the best antivirus application. I recommend Kaspersky and F-Secure; however, don't touch Norton, even with a ten foot pole.
0