Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus-rootkit infection, can't uptdate windows [Closed]


  • This topic is locked This topic is locked

#16
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
There is a way of reducing boot times however, it will take an hour or so to run

Download the SDK web installer from here
Run the installer and select the following:

Leave the location to default
wdk%20location.JPG

Windows Performance Toolkit
Wintoolkitselect.JPG

You must reboot on completion of the install

After reboot set aside about 30 minutes when you will not need the computer

When ready start an elevated command prompt :

Go Start > All Programs > Accessories
Right click Command Prompt and select Run as Administrator

Then copy and paste the following command into the black box :

xbootmgr -trace boot -prepSystem -verboseReadyBoot

sdk%20command.JPG

Now your PC will be restarted 6 times. With a two minute pause before the tool runs after the desktop loads
After the second reboot the MS defragmentation program is running and is placing the files into an optimized layout, so that Windows will boot up faster
The last Reboots are training of readyBoot. After the training is finished, you'll notice a huge improvement in startup.

Readyboot
 

The logical prefetching described above is used when the system has less than 512MB of memory. If the system has 700MB or more then an in-RAM cache is used to further optimize the boot process (its not clear from the book whether or not this ReadyBoot cache completely replaces the logical prefetching approach or just builds on it, my assumption is that both work together).
After each boot the system generates a boot caching plan for the next boot using file trace information from up to the five previous boots which contains details of which files were accessed and where on the disk they were located. These traces are stored as .fx files in the


  • 1

Advertisements


#17
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Okay thanks i will do that, and i have  a question, i can do the same things that you told me to do in another computer that is the same computers?, my famili brought a laptop in the same store, at the same time, and same everything, its recently formatted two, the only diference beetwen that computer and mine, its that the other one have trend micro internet security installed, or all this repairs its for my computer?


  • 0

#18
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
In each case the fixes are tailored to that system so if the other system has problems then it will need its' own solution :)
  • 0

#19
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

okay, perfect, thanks,

 

I have another question, I need to follow the steps of putting that command on the cmd, after every reboot manually?, or I have to wait that it would do the work alone, because I put the command and reboot one time, and then nothing happens


  • 0

#20
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Oh it's seems that it's already working, I don't know why the first time didnt work
  • 0

#21
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

well it's done, it's a next step remaining, or with that my pc is ready?, ( I see it's very fast now).

and I was thinking to do some malware scanning and see if the scanners found something.


Edited by samidelcueva, 25 July 2015 - 05:01 PM.

  • 0

#22
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No the command only needs to be entered once to run the whole process

Please download Malwarebytes Anti-Malware to your desktop
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Ensure that "Enable free trial of Malwarebytes Anti-Malware Premium" is unchecked
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

To access logs from Malwarebytes Anti-Malware 2.0:

mbamlogs.JPG

1.Open Malwarebytes Anti-Malware 2.0
2.Click History > Application Logs
3.Double-click the log you would like to open

Scan Logs record detections from manual scans, including threats detected and the actions taken against them

To save a Scan Log:

1.Open the log file you would like to save
2.Click Export
3.Choose to export to a .txt
4.Choose a folder to save the log file in, then click Save
5.Post that log here
  • 0

#23
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

I attach the MBAM log:

 

but also I put yesterday some other scanners, and some found nothing, but others find something:

 

Junkware Removal tool find these:

 

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{71576546-354D-41C9-AAE8-31F2EC22BF0D}
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{71576546-354D-41C9-AAE8-31F2EC22BF0D}

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}

 

~~~ Files

Successfully deleted: [File] C:\Users\samuel\AppData\Roaming\sp_data.sys (This always appears when I put JRT)

 

Emsisoft emergency kit, (these ones appears again and again):

 

Scan start: 7/25/2015 9:29:59 PM
Value: HKEY_USERS\S-1-5-21-401314101-946683506-2006832327-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-401314101-946683506-2006832327-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

 

and after it supposed that emssoft delete those registry entries, panda cloud cleaner found this ones again, and other things, but I think that its a FP's:

 

Unknown. FILE: C:\PROGRAM FILES (X86)\ASUS\ASUS LIVE UPDATE\UPDATECHECKER.EXE to be deleted.

Unknown. TASK: Task\[Update Checker]. Task to be deleted.

Unknown. FILE: C:\PROGRAM FILES (X86)\ASUS\WEBSTORAGE\2.1.2.301\ASUSWSWINSERVICE.EXE to be deleted.

Unknown. REGKEY: HKLM\SYSTEM\CurrentControlSet\Services\Asus WebStorage Windows Service. Key to be deleted.

Unknown. FILE: C:\PROGRAM FILES (X86)\ST MICROELECTRONICS\ST_ACCEL\FFP_MANAGER.EXE to be deleted.

Unknown. REGKEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[ASUS HDD Protection Tray Application]. Value: ASUS HDD Protection Tray Application To be deleted.

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLEREGISTRYTOOLS]. Value: DISABLEREGISTRYTOOLS To be deleted.

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLETASKMGR]. Value: DISABLETASKMGR To be deleted.

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

 

 

and thanks for everything, I notice my computer is more faster.

 

 

 

Attached Files

  • Attached File  mbam.txt   1.25KB   90 downloads

  • 0

#24
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The great majority of those are files that can be used for good or bad, in this case none are bad :)

Is windows updating OK now as well ?

Any other outstanding niggles ?
  • 0

#25
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

oh okay, well I think its everything, my computer it seems to be very good, thanks for all the help, and yes windows is updating right now.

i told to my family the work that do in this forum, and they were thinking to submit the computer that we think that infected us all, could you please help me with that pc? :spoton:  


  • 0

Advertisements


#26
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
For sure, do you want to continue in this thread as it may be easier that way :)

Meanwhile for your computer

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown
delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programme:

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:
  • 0

#27
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

you are awesome, and yes, continue in this tread is the best option, because that computer have the problems that I had but "Problems x 3", it is a turtle :yes: .

and sure I will follow the security recommendations.

 

I will post the FRST log in a moment.


  • 0

#28
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK ready when you are, also could you give me a synopsis of the problem
  • 0

#29
samidelcueva

samidelcueva

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

ok, the problem in this computer is a slow startup, and the browser and some programs two, one time when i was chatting with a geekbuddy technician, the computer restart by itself, and the pc have two users, in one of the two users the situation is worse than the other one, and i think thats all, i have run many  malware scans, and sometimes finds something, but the computer performance dont have a marked improvement.

 

 

Attached Files


  • 0

#30
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
A bit of an overkill on the security programmes :)

I have just and AV and unchecky with MBAM if I remember :)

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKLM-x32\...\Run: [tvncontrol] => C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2015-07-20] (Comodo Security Solutions, Inc.)
HKLM-x32\...\Run: [ClamWin] => C:\Program Files (x86)\ClamWin\bin\ClamTray.exe [86016 2015-07-25] (alch)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> No File
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - No File
CHR HKLM-x32\...\Chrome\Extension: [idkknaphebegndgimgdpfnconcickdfn] - No Path Or update_url value
R2 GeekBuddyRSP; C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2015-07-20] (Comodo Security Solutions, Inc.)
S4 sjzgxw; No ImagePath
S0 uezndl; No ImagePath
S4 vqdtrh; No ImagePath
U2 TMAgent; No ImagePath
2015-07-17 23:09 - 2015-07-17 23:13 - 00000000 ____D C:\ProgramData\F-Secure
2015-07-17 23:09 - 2015-07-17 23:09 - 00000000 ____D C:\Users\Rocio\AppData\Local\F-Secure
2015-07-15 23:32 - 2015-07-15 23:32 - 00380416 _____ C:\Users\Rocio\Downloads\vy5gb233.exe
2015-07-10 11:54 - 2015-07-10 11:54 - 00000738 _____ C:\Windows\SysWOW64\{7995330B-E01F-4645-B702-53481E7CB778}.cmdfile
C:\Users\Invitado\R41301.EXE
C:\Users\Invitado\R46346.EXE
C:\Users\Invitado\R49651.EXE
C:\Users\Invitado\R64290.EXE
C:\Users\Invitado\R64913.EXE
C:\Users\Invitado\R69396.EXE
C:\Users\Rocio\grub.exe
C:\Users\Rocio\RarExt.dll
C:\Users\Rocio\rarnew.dat
C:\Users\Rocio\rescue2usb.exe
C:\Users\Rocio\syslinux.exe
C:\Users\Rocio\zipnew.dat
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP