Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Seeking for a geek! [Closed]


  • This topic is locked This topic is locked

#1
bbq

bbq

    New Member

  • Member
  • Pip
  • 2 posts

My pc may,or may not be infected by a a malware and i need help to find out why is it so slow.In safe mode it runs well but in normal mode the cpu is at 100% after the moment i boot it.

Attached Files


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there  do you think it is wise to use torrents without an antivirus and windows defender disabled ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint:
HKU\S-1-5-21-2936620227-1760502345-1878778505-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnkdYvIvvwfEa2R0wwOtHRt5yzwuGIFI-ZKSsoGhnIaA8kxHLc96n3BtvPARDetO0RHPmWVXYT00uVMyZInO8DlVgm9wxkbJmpHB9BJ14ju3D0QHDoaqKlRi-TjZSTnJkZQ3_RGs6bLWsHSQVfyiVHCUwnIho7Id6fpgB&q={searchTerms}
HKU\S-1-5-21-2936620227-1760502345-1878778505-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnkdYvIvvwfEa2R0wwOtHRt5yzwuGIFI-ZKSsoGhnIaA8kxHLc96n3BtvPARDetO0RHPmWVXYT00uVMyZInO8DlVgl6O2ssy3UrV-ChAGgKaQkNBs-455UmTXrnGmJYq9i-uvVKYj-kMVRSOMpW5C9OiD4HNb8O2NL8rY
HKU\S-1-5-21-2936620227-1760502345-1878778505-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnkdYvIvvwfEa2R0wwOtHRt5yzwuGIFI-ZKSsoGhnIaA8kxHLc96n3BtvPARDetO0RHPmWVXYT00uVMyZInO8DlVgm9wxkbJmpHB9BJ14ju3D0QHDoaqKlRi-TjZSTnJkZQ3_RGs6bLWsHSQVfyiVHCUwnIho7Id6fpgB&q={searchTerms}
HKU\S-1-5-21-2936620227-1760502345-1878778505-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnkdYvIvvwfEa2R0wwOtHRt5yzwuGIFI-ZKSsoGhnIaA8kxHLc96n3BtvPARDetO0RHPmWVXYT00uVMyZInO8DlVgm9wxkbJmpHB9BJ14ju3D0QHDoaqKlRi-TjZSTnJkZQ3_RGs6bLWsHSQVfyiVHCUwnIho7Id6fpgB&q={searchTerms}
URLSearchHook: HKLM - BS Player ControlBar B Toolbar - {31264a33-a653-46c4-af49-1232c59a7da5} - C:\Users\Kuli\AppData\LocalLow\BS_Player_ControlBar_B\prxtbBS_P.dll (ClientConnect Ltd.)
SearchScopes: HKU\S-1-5-21-2936620227-1760502345-1878778505-1001 -> {9435610E-9202-4158-BFDD-19C911E2BA9B} URL = hxxp://trovi.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3329621&CUI=UN23678415427380876&UM=4
SearchScopes: HKU\S-1-5-21-2936620227-1760502345-1878778505-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnkdYvIvvwfEa2R0wwOtHRt5yzwuGIFI-ZKSsoGhnIaA8kxHLc96n3BtvPARDetO0RHPmWVXYT00uVMyZInO8DlVgm9wxkbJmpHB9BJ14ju3D0QHDoaqKlRi-TjZSTnJkZQ3_RGs6bLWsHSQVfyiVHCUwnIho7Id6fpgB&q={searchTerms}
BHO: BS Player ControlBar B Toolbar -> {31264a33-a653-46c4-af49-1232c59a7da5} -> C:\Users\Kuli\AppData\LocalLow\BS_Player_ControlBar_B\prxtbBS_P.dll [2014-09-30] (ClientConnect Ltd.)
Toolbar: HKLM - BS Player ControlBar B Toolbar - {31264a33-a653-46c4-af49-1232c59a7da5} - C:\Users\Kuli\AppData\LocalLow\BS_Player_ControlBar_B\prxtbBS_P.dll [2014-09-30] (ClientConnect Ltd.)
Toolbar: HKU\S-1-5-21-2936620227-1760502345-1878778505-1001 -> BS Player ControlBar B Toolbar - {31264A33-A653-46C4-AF49-1232C59A7DA5} - C:\Users\Kuli\AppData\LocalLow\BS_Player_ControlBar_B\prxtbBS_P.dll [2014-09-30] (ClientConnect Ltd.)
HR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnkdYvIvvwfEa2R0wwOtHRt5yzwuGIFI-ZKSsoGhnIaA8kxHLc96n3BtvPARDetO0RHPmWVXYT00uVMyZInO8DlVgm8ehTE-3P86lT3C1wiX8egbhDVNyLpHFy7UZWXbQzgSh0ATgot0fawDN5x1g7hNBcXvPdgrF6MaR
CHR DefaultSearchURL: Default -> hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnkdYvIvvwfEa2R0wwOtHRt5yzwuGIFI-ZKSsoGhnIaA8kxHLc96n3BtvPARDetO0RHPmWVXYT00uVMyZInO8DlVgm8t2rEeWx313T7UwnJw0JEHUZ9zrjaFM3J6zDlCmbSFdcfo2GhEKFhOm2lJdU23ngTIkHrUWK8bw&q={searchTerms}
CHR DefaultSearchKeyword: Default -> feed.sonic-search.com
S2 TBSrv; C:\Program Files\Tbccint\ToolbarService\ToolbarService.exe [350528 2014-09-30] (ClientConnect Ltd.)
S1 ATITool; C:\Windows\System32\DRIVERS\ATITool.sys [24064 2006-11-10] () [File not signed]
2015-10-08 16:14 - 2015-10-08 16:14 - 00000000 ___DC C:\ProgramData\{ACF12395-778E-44F0-A811-C99F334A83F5}
2015-07-23 14:02 - 2015-07-23 14:02 - 0000000 _____ () C:\Users\Kuli\AppData\Local\{A94F0099-E99D-49AC-8E99-B64D3E57E6BB}
safeboot: {b1f0001a-639a-11e4-9bce-8874be57e7c8} => The system is configured to boot to Safe Mode <===== ATTENTION
CustomCLSID: HKU\S-1-5-21-2936620227-1760502345-1878778505-1001_Classes\CLSID\{1BBF13E0-551E-42DD-91F4-1A547443FFDA}\InprocServer32 -> C:\Users\Kuli\AppData\Local\Tbccint\Community Alerts\Alert.dll (ClientConnect Ltd.)
CustomCLSID: HKU\S-1-5-21-2936620227-1760502345-1878778505-1001_Classes\CLSID\{31264A33-A653-46C4-AF49-1232C59A7DA5}\InprocServer32 -> C:\Users\Kuli\AppData\LocalLow\BS_Player_ControlBar_B\prxtbBS_P.dll (ClientConnect Ltd.)
CustomCLSID: HKU\S-1-5-21-2936620227-1760502345-1878778505-1001_Classes\CLSID\{3A1209A4-8568-40F0-9B5E-4A06A2A06417}\InprocServer32 -> C:\Users\Kuli\AppData\LocalLow\BS_Player_ControlBar_B\prxtbBS_P.dll (ClientConnect Ltd.)
Task: {35888FA2-9721-40CA-8550-29FA90537670} - System32\Tasks\{B3F2D081-0079-441A-BA9D-AD1E7E4CC51F} => pcalua.exe -a E:\setup.exe -d E:\
AlternateDataStreams: C:\ProgramData:NT
AlternateDataStreams: C:\ProgramData:NT2
AlternateDataStreams: C:\Users\All Users:NT
AlternateDataStreams: C:\Users\All Users:NT2
AlternateDataStreams: C:\ProgramData\Application Data:NT
AlternateDataStreams: C:\ProgramData\Application Data:NT2
AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT
AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2
AlternateDataStreams: C:\Users\Kuli\Application Data:NT
AlternateDataStreams: C:\Users\Kuli\Application Data:NT2
AlternateDataStreams: C:\Users\Kuli\AppData\Roaming:NT
AlternateDataStreams: C:\Users\Kuli\AppData\Roaming:NT2
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.
FINALLY

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan

AswMBR%20scan.JPG


On completion of the scan click save log, save it to your desktop and post in your next reply
  • 0

#3
bbq

bbq

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts

i think this is it.

 

Attached Files


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

OK you have sality a file infector that may have damaged a lot of system files... I will try to repair but there is no guarantee

C:\Users\Kuli\AppData\Local\Temp\loqhu.exe **INFECTED** Win32:Sality-GR
15:47:09.166 File: C:\Users\Kuli\AppData\Local\Temp\wdfy.exe **INFECTED** Win32:Sality-GR
15:47:09.213 File: C:\Users\Kuli\AppData\Local\Temp\wincdir.exe **INFECTED** Win32:Sality-GR
15:47:14.967 File: C:\Users\Kuli\AppData\Roaming\BSplayer\AC3 Filter\unins000.exe **INFECTED** Win32:Sality
15:47:16.899 File: C:\Users\Kuli\AppData\Roaming\BSplayer\FFDShow\unins000.exe **INFECTED** Win32:Sality
15:47:18.022 File: C:\Users\Kuli\AppData\Roaming\BSplayer\Haali media splitter\uninstall.exe **INFECTED** Win32:SaliCode
15:47:24.566 File: C:\Users\Kuli\AppData\Roaming\uTorrent\updates\3.4.2_36044.exe **INFECTED** Win32:Sality
15:47:24.691 File: C:\Users\Kuli\AppData\Roaming\uTorrent\updates\3.4.2_37754.exe **INFECTED** Win32:Sality
15:47:24.810 File: C:\Users\Kuli\AppData\Roaming\uTorrent\updates\3.4.3_40097.exe **INFECTED** Win32:SaliCode
15:48:25.583 File: C:\ProgramData\Sanlux\uninstall.exe **INFECTED** Win32:Sality
15:48:26.652 File: C:\ProgramData\Yahoo!\YUpdater\yupdater.exe **INFECTED** Win32:SaliCode

I would recommend that you back up any personal data just in case... Now you can see why using torrents without an antivirus is dangerous

The following programme may need to be run several times and no guarantee can be given

Download Sality Killer zip to your desktop and extract SalityKiller.exe

Run the utility SalityKiller.exe on the infected computer
A reboot might require after disinfection.

Download the file Sality_RegKeys.zip
unpack the file Sality_RegKeys.zip
run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

Once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key:

under Windows 2000 run the registry file SafeBootWin200.reg
under Windows XP run the registry file SafeBootWinXP.reg
under Windows 2003 run the registry file SafeBootWinServer2003.reg
under Windows Vista / 2008 run the registry file SafebootVista.reg
under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg

THEN

 

Download and run a fresh copy of AswMBR

 

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan

AswMBR%20scan.JPG

On completion of the scan click save log, save it to your desktop and post in your next reply


  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP