Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware programs wont start following DNS hi-jack


  • Please log in to reply
16 replies to this topic

#1 mark40

mark40

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 19 May 2009 - 10:34 PM

My system info:
Win xp home sp2
home built PC

anti virus programs running together for past 6-8 months:
Prevx Edge Ver 3.0.1.65
Eset smart security suite (firewall, antivirus, antispyware)
Malwarebytes anti-malware
Super anti-spyware

Symptoms:
some spyware/ malware programs stopped working,
web pages had extra characters in address bar,
defragmenter wont work,
system restore is inop even though it is enabled on all drives
online virus scanner wont start and run


About a week ago, I let an active x app install from a site i was on surfing the web. It said it was microsoft stuff and i figured it was needed. (I use msn browser most of the time.) I noticed since then that my super anti-spyware would fail to open on start-up and let me know with "failed to start' type of message. I tried scanning with Malwarebytes and it wouldnt open eventhough it was runnig in task mananger. ESET and Prevex edge found nothing when i ran them.
Super anti spyware Alternate startup worked ok and found two registry HKLM entries and said it was DNS hijack from an active x app and quarantined them. Luckly i had the original DNS numbers written down in my router instruction book and got connection back after quarantine.
My msn home page wouldnt open correctly, the address bar had extra characters before and after msn.com Fixed that by resetting home page.
Re-tried malwarebytes, no go. Went to trend micro housecall site and it wouldnt run because of Java issue even though I clicked their link and got latest Java installed.
Closed msn and tried internet explorer to run trend micro, same result. Noticed the privacy setting icon at bottom of screen and there that all kinds of trend micro links had been blocked (as far as cookies go). dont know how to allow all those links rights to cookies.

Finally I did a search for 'malware programs not opening' and came across suggestion to use combo fix. The person had given a link and instructions on how to download combo fix and save as 123.exe to desktop, then run it.
I followed combo fix instructions (was not able to completely shut off Prevx edge and combo fix let me know). It downloaded windwos recovery console and installed it. then pc restarted. once back at desktop, it found some rootkit issue and told me to write down two things from windows system 32 that it might need later (I have these if we need it, very long). then it restarted pc again and the window said 'nircmdc' is not a valid something or other, and the popup box for combo fix said something to the following effect " combo fix has been compromised and that i should delete current version and download fresh version from this site, there may be a 'patcher' virus or something it called "virut"

now im here, and find out that combo fix needs expert guidance before use, so I stopped where im at to see if yall can help me out.
Thanks for the site and any help you have to offer,
Mark

BC AdBot (Login to Remove)

 


#2 trashcan7

trashcan7

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 PM

Posted 19 May 2009 - 11:41 PM

Well, if you're computer is booting up successfully now, then there's a way to run Malwarebytes' AntiMalware. Some viruses block these programs, but you can simply rename the file in Program Files to something like mbam1.exe and it'll run.

#3 mark40

mark40
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 20 May 2009 - 01:20 AM

ok, ill give that a try and let you know.

#4 mark40

mark40
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 20 May 2009 - 02:35 AM

Thanks. That worked. I was able to run malwarebytes after renaming it, but not until I pulled up task manager and stopped the two background apps of malwarebytes.

after restart, defragmenter, system restore, superanti-spyware, and malwarebytes all work right. :flowers: :thumbsup:

here is what the scanner found:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

5/20/2009 1:47:23 AM
mbam-log-2009-05-20 (01-47-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 155887
Time elapsed: 24 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-9-2-70-100020469-100010186-100019067-5756.com (Trojan.Agent) -> Quarantined and deleted successfully.

#5 rosiesdad

rosiesdad

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 20 May 2009 - 05:29 AM

Awsome, thanks for sharing all this with us. We learn by following these.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:34 PM

Posted 20 May 2009 - 09:47 AM

Hello i would like you to run 3 more tools here,thanks..

Run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now Part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mark40

mark40
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 20 May 2009 - 08:17 PM

ok Boopme, I followed your steps and here are the two scan logs you requested. Question, are the scan options you requested for SAS for this event the same options as you would keep for SAS all the time or should I recheck some of the boxes? I have the full version with all options available for selecting.
Thanks for your interest in my situation.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/20/2009 at 07:48 PM

Application Version : 4.22.1014

Core Rules Database Version : 3900
Trace Rules Database Version: 1846

Scan type : Complete Scan
Total Scan Time : 01:15:44

Memory items scanned : 160
Memory threats detected : 0
Registry items scanned : 9972
Registry threats detected : 9
File items scanned : 66779
File threats detected : 0

Trojan.Unknown Origin
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg#Group
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg#start
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg#type
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg#ticepjbx
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg#bcaumijj
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg#jnmyfols

AND

SmitFraudFix v2.416

Scan done at 20:03:49.82, Wed 05/20/2009
Run from C:\Documents and Settings\Mark\Desktop\Virus info\Apps to use\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Prevx\prevx.exe
K:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Prevx\prevx.exe
K:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VIA\RAID\vialogsv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
K:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Mark\Desktop\Virus info\Apps to use\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Mark


C:\DOCUME~1\Mark\LOCALS~1\Temp


C:\Documents and Settings\Mark\Application Data

C:\Documents and Settings\Mark\Application Data\Skinux FOUND !

Start Menu


C:\DOCUME~1\Mark\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45 - Packet Scheduler Miniport
DNS Server Search Order: 208.180.42.100
DNS Server Search Order: 208.180.42.68

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3384814B-31E9-4FE6-A876-6E4E2BBAADDE}: NameServer=208.180.42.100,208.180.42.68
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3384814B-31E9-4FE6-A876-6E4E2BBAADDE}: NameServer=208.180.42.100,208.180.42.68
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3384814B-31E9-4FE6-A876-6E4E2BBAADDE}: NameServer=208.180.42.100,208.180.42.68
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3384814B-31E9-4FE6-A876-6E4E2BBAADDE}: NameServer=208.180.42.100,208.180.42.68


Scanning for wininet.dll infection


End

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:34 PM

Posted 20 May 2009 - 08:26 PM

Hello,those are the settings we at BC recommend for the most effective scan in the most prevalent ares of infection.

We need to run part 2
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Now Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mark40

mark40
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 20 May 2009 - 10:43 PM

alright, step 2 is finnished. logs below. I notice a definite speed increase in overall system performance.
Some things i noticed durring step 2: while in safe mode and running option 2, Disk cleanup was trying to run for each HDD. is that normal? It seemed to be hung up. I canceled it after about 5 min. and option 2 had finished without reboot prompt so i rebooted anyway.
On reboot, pc got hung while loading desktop, gave it 5 mins and then held down power to shut off. (would not respond to any input)
on reboot, got the option to start windows normally and then it did. all else seems ok now.


SmitFraudFix v2.416

Scan done at 21:49:27.04, Wed 05/20/2009
Run from C:\Documents and Settings\Mark\Desktop\Virus info\Apps to use\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\Documents and Settings\Mark\Application Data\Skinux\ Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3384814B-31E9-4FE6-A876-6E4E2BBAADDE}: NameServer=208.180.42.100,208.180.42.68
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3384814B-31E9-4FE6-A876-6E4E2BBAADDE}: NameServer=208.180.42.100,208.180.42.68
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3384814B-31E9-4FE6-A876-6E4E2BBAADDE}: NameServer=208.180.42.100,208.180.42.68
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3384814B-31E9-4FE6-A876-6E4E2BBAADDE}: NameServer=208.180.42.100,208.180.42.68


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



Malwarebytes' Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 2

5/20/2009 10:27:24 PM
mbam-log-2009-05-20 (22-27-24).txt

Scan type: Quick Scan
Objects scanned: 94805
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 mark40

mark40
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 20 May 2009 - 10:49 PM

i see my clock at bottom right is now in military time. Its 12 hr time at the adjust date and time screen. how do i get back 12 hr time in tool bar?

#11 rowal5555

rowal5555

    Just enough info to be armed & dangerous...


  • Members
  • 2,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St Kilda, Dunedin. South Island. NZ
  • Local time:11:34 AM

Posted 21 May 2009 - 12:44 AM

Hi Mark

You can change your time settings in Control Panel/Regional and Language Options/Time. (A capital H or a small h will make the difference).

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:34 PM

Posted 21 May 2009 - 03:44 PM

Yes, that will happen... So are there any more signs of infection as you look good?

Just in case
To fix the clock display:

Go toStart >> Control Panel.
Select Regional and Language Options.
In the Standards and Formats section... next to the language you are using... click the Customize...button
Press the Time...tab.
In the Time Format...box, for 12 hour time display... change the format to:

h mm ss tt
or
hh mm ss tt


Select the other display options you want... separator, AM, PM...
When done...click Apply and OK as needed.case
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 mark40

mark40
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 21 May 2009 - 11:09 PM

ok, thanks to both rowal5555 and boopme about the clock. That got me fixed.

So far all things are working very well. PC seems very responsive now compared to before.
just a few questions to finish up.
1. does the speed increase come from the step 2 cleanup process? or were the infections running and using up resources?
2. how did this stuff get by all 4 programs I have going (post 1) and manage to disable 2 of them?
3. What settings do you recomend for the other 3 programs (besides SAS). I thought I had them set up right.
4. I use RegCure about once a month. It is about to expire. Is that a good program to use or do you recomend something better?
5. I have 2 other computers. Do you recomend that I apply all the steps that we did here to the other two PCs, even if they dont show sings of infection?


I thought I saw a sticky thread about how this happened and what to do to help prevent it again. going to check that now. Maybe some of my questions will be answered there but any other advice is welcome.
Thanks for all your help,
Mark

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:34 PM

Posted 22 May 2009 - 11:18 AM

just a few questions to finish up.
1. does the speed increase come from the step 2 cleanup process? or were the infections running and using up resources?
2. how did this stuff get by all 4 programs I have going (post 1) and manage to disable 2 of them?
3. What settings do you recomend for the other 3 programs (besides SAS). I thought I had them set up right.
4. I use RegCure about once a month. It is about to expire. Is that a good program to use or do you recomend something better?
5. I have 2 other computers. Do you recomend that I apply all the steps that we did here to the other two PCs, even if they dont show sings of infection?


I thought I saw a sticky thread about how this happened and what to do to help prevent it again. going to check that now. Maybe some of my questions will be answered there but any other advice is welcome.


You're most welcome,from all of us at BC. This may be the topic you wanted... read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:

Questions...
1) if you mean the pages and sites are a bit slow..that should return as you re visit and populat all your regular sites. We cleaned all the Temp and cookie files.
20 hard to say exactly but, if one got thru and then it was dropping others while there. here's a good explanation of what you had Malware Silently Alters Wireless Router Settings
3) The setings i posted are best. Smitfraud should be removed as its's not a tool to run if the infections it works on are not on the machine. It can cause other problems.
4) Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for a several reasons:

:trumpet: Registry cleaners can damage the registry by using aggressive cleaning routines. Many users (including some Staff Members) have reported problems after using registry cleaning tools - to include those tools released by Microsoft. This can cause your system to become unbootable.

:flowers: Registry cleaners generally don't do anything significant for your system. This topic discusses it in greater detail than we could address here: http://www.windowsbbs.com/showthread.php?t=61015 Although the topic discusses the XP registry, the concepts there apply to all other versions of Windows.

:thumbsup: Not all registry cleaners create a backup of your registry before making changes. If the changes prevent the system from booting/logging in, then there's no backup to restore in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
5) Rin Atf ,SAS and MBAm.. nothing else,,well your A/V... post a log and get proper help. It's safer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 mark40

mark40
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 22 May 2009 - 10:11 PM

Will do. Thanks again for all the help and the links u listed for more info.
How do you high tech guys take care of keeping your registry stream lined and accurate? Or should it just be left alone altogether?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users