Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92790 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Unknown infection and can't run FRST [Solved]

win 7 32 bit

  • This topic is locked This topic is locked
41 replies to this topic

#31 GeekStyle59

GeekStyle59

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 02 December 2014 - 07:36 AM

FWIW I just Googled "ghostviet consequences" because earlier you suggested that maybe the repair guy I used pirated my windows software. I see that the first listing is for a pirated version of win 7 64 bit so now I am thinking that the guy DID pirate the software because, my tower system died first, then my laptop in such rapid succession that I was left without a computer while he worked on both. When he returned the tower, I could not even connect to the internet because of a malware problem. I had the XP install disks so I simply low level formatted the drive and re-installed XP without any further problem (until the whole system died several months later -- but it was almost 8 years old). 


    Advertisements

Register to Remove


#32 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,753 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 December 2014 - 10:10 AM

I just Googled "ghostviet consequences" because earlier you suggested that maybe the repair guy I used pirated my windows software.

I don’t recall suggesting that but I did get you to run a scan to see if your operating system was legitimate due to that entry; there is no suggestion in the resulting log that it is “pirated” or I wouldn’t be helping you clean it. :)


Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7: right-click the program and select Run as Administrator'
  • after it has completed it's prescan click on the “Registry” tab
  • make sure this entry there is checked, then click on Delete:

[PUM.HomePage] HKEY_USERS\S-1-5-21-3135014543-1366911502-1036751248-1003\Software\Microsoft\Internet Explorer\Main | Start Page : http://ghostviet.com/  -> Found

Please include the Delete log in your next post.

Let me know if the problem is solved.

Satchfan
 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#33 GeekStyle59

GeekStyle59

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 02 December 2014 - 10:52 AM

Yes! IE now opens to msn.com

 

Is is now safe to reboot?

 

Are we now done???



#34 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,753 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 December 2014 - 11:02 AM

Yes to all. Well done. :thumbup:

 

Before we finish I'll send some clean-up instructions and recommendations but have to pop out for a bit now so it will be in a few hours..


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#35 GeekStyle59

GeekStyle59

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 02 December 2014 - 11:12 AM

Thanks! Can one PM on this site?



#36 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,753 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 December 2014 - 11:14 AM

Yes.


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#37 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,753 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 December 2014 - 03:59 PM

Your computer appears to be clean.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore


  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

===================================================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

===================================================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

===================================================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

===================================================

Unchecky

Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

Download and install Unchecky .


I also recommend that you read the following:

How to prevent malware by miekiemoes

Help! My computer is slow! by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan

 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#38 GeekStyle59

GeekStyle59

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 03 December 2014 - 05:25 AM

Good morning (my time)!

 

Everything seems to have gone smoothly except that, when I re-installed the Nov. version of MVPS Host, I never got and update message. I'm hoping this is only because it had been previously installed. I re-installed it, though, in case it had gotten infected. The first time I did not get the updated message so I tried again. Still no update message. Here is what the Etc folder contains ATM:

 

 

HOSTS

HOSTS,MVP

Hosts_bak_219

Imhosts.sam

networks

protocol

services

 

Also, along the way of diagnosing things, two "invisible" desktop.ini files appeaeared. Here is the NOtepad version of their contents:

 
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
 
 
and
 
 
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
 
 
One last thing has happened since receiving this last set of instructions. The icons on my desktop moved themselves in a random fashion instead of staying where I had positioned them.
 
Thank you so much for all your help!


#39 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,753 posts
  • Interests:LFC, music, more LFC, more music

Posted 03 December 2014 - 08:56 AM

Good morning, (pm my time) :weee:

Your hosts file is fine and MVPS likely found nothing to update.

Re your desktop icons, many things can cause them to rearrange themselves. You should be able to rearrange them yourself. Right-click on your desktop and point to "View", then make sure that "Auto arrange icons" is not checked.


Those desktop.ini files should not be visible; to "hide" them, do the following:

  • open Windows Explorer, (Windows key+E)
  • at the top, click on Organise, >Folder and search options
  • click on the “View” tab
  • under “Files and Folders”,remove the checkmark next to Show hidden files, folders and drives

Let me know if they have gone.

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#40 GeekStyle59

GeekStyle59

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 03 December 2014 - 10:02 AM

Yes the .ini files are again hidden

 

All else seems to be fine again. I can't  thank you enough.

 

May the holidays ahead be full of joy for you!


    Advertisements

Register to Remove


#41 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,753 posts
  • Interests:LFC, music, more LFC, more music

Posted 03 December 2014 - 10:58 AM

I am glad to have been of help.

 

I wish you and your family a great Christmas and hope you have a better 2015.

 

Kind regards

 

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#42 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,753 posts
  • Interests:LFC, music, more LFC, more music

Posted 04 December 2014 - 10:18 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users