Getting everything back after malware infection

[Ron M]

I have been reading through some of the problems that people have had or are having with the rogue trojan virus System Tool and described in various posting on this forum and can sympathize very closely with their experience. After 20+ years of always maintaining what I thought was a reasonable good anti-virus/anti-malware defense (never had any problems or infections that caused problems - they were always caught by the AV software) - I used Norton for a while on a whole variety of Dell machines because that is what came with the machine, kept it up to date and used a variety of different fire-walls and now McAfee is the latest offering with Dell machines, so I have that going for me, then last Sunday morning, System Tool struck - I got my wall paper replaced with a big screen saying I was infected with Spyware and all the rest, it even did a pseudo-scan for virus infections and asked me to buy a piece of software to get rid of this infection which I did - stupid on my part, but it looks real if you don't know about it and overly trust your anti-virus/malware software, which I guess I do...any of you who have had the infection, know what I am talking about and those of you who haven't, don't want it - believe me - you don't. I have no idea where it came from, but it obviously came off the net as I was surfing some old sites I had on "My Favourites" trying to decide if I should keep them or lose them...

With the help of McAfee's technical folks, I got rid of the virus, but I still have, what I think is a bit of a "hang-over" from it as follows...

when I boot up, everything seems to go okay (Win 7 64-bit) through login, but then my screen goes blank for a few minutes with the cursor showing busy and then after a few minutes ( 2 to 3 ±) all my shortcut icons and the task bar show up and everything works properly, except the wallpaper is not there, just a blank, dark screen. It seems like there is something missing, obviously, because the "boot" to the point that I can use my machine takes so long and yet something seems to be working "behind the scenes" as it were, and I do not get my wall paper back.

Can anyone tell me what I am missing, or suggest something I should try to 1. SPEED up the boot process (how can I find out what it is doing when it should really be finishing the booting up) and 2. GET me my wallpaper back. NOTE, I have since installed pctools product Spyware Doctor, to run "in parallel" with McAfee, and it has actively detected a number of infections, mostly minor, although there was one that was a deemed major threat (McAfee missed it???) and the software allowed me to get rid of all of these. Any help, insight, etc. that anyone would care to share will be greatly appreciated. Thanks in advance.

Regards,

Ron M

[JoeP517]

You should check what is starting when the PC boots. Use a tool such as Autoruns for Windows or WhatInStartup - Disable/delete programs at Windows startup.

Note: Autoruns produces a large amount of information. You should be concerned with the Logon tab.

Joe

[Ron M]

You should check what is starting when the PC boots. Use a tool such as Autoruns for Windows or WhatInStartup - Disable/delete programs at Windows startup.

Note: Autoruns produces a large amount of information. You should be concerned with the Logon tab.

Joe

Joe, thanks for the information. I tried to download Autoruns, but it would not download for me. When the download screen came up and I clicked on <Save>, then the whole panel went away. So I tried running it directly from the site and that worked and as you said it produced quite a bit of output. I looked at the "Logon" tab and I guess my question is - now what? - not being a techie, I don't know what programs should or should not be running at Logon, so I am unsure as to what to do with this information. Any suggestions as to what I should look for. I could grab a screen capture and maybe attach it as a Word or PowerPoint document so you can see what is there and tell me if anything that is going on should not be going on, other than that, I am at a bit of an impasse.

Regards,

Ron M

[JoeP517]

A screen shot would help. Someone may have advice on what you could disable.

Joe

[James S]

Here is a database for start up entries: http://www.sysinfo.org/startuplist.php

To see what a particular process that is running you can use this to tell you what each does: http://www.processlibrary.com/

I would also recommend running HijackThis from TrendMicro. A simple program that you can save the results and post. This report may show some sketchy things going on as well: http://free.antivirus.com/hijackthis/

[Ron M]

JoeP and James S, I ran the "Hijackthis" software and it gave me a log of a whole bunch of files, most of which I have absolutely no idea what they do or why they are needed. One thing, the first time I ran it, I received a message concerning the "host" files that stated that Hijackthis had encountered some problems with the "host" file and could not process it and gave me some instructions for editing it from the "Start-Run" command line and told me to remove all the "Hijack this repair lines. I followed directions as best I could, but could not see anything like they suggested I look for. They also suggested I run this as administrator. When I ran this as the administrator, I did not get the message about the "host" file. Anyway, I have attached the Notepad file from the log of the "Hijack this" report and maybe someone can tell me if there is something here that I need to followup on. I would like to thak both of you for the suggestions and help that you have given me on this problem.

James S, I bookmarked the URLs that you gave me and if I get the time, then I guess I will follow up on the log file. The one thing about the logfile report when it came up on the screen, nothing was checked to indicate a "bad" entry so I still am at a loss to figure out what the problem is. If it is the "host" file, then maybe I can just delete it and have the system build a new one, or do you know if there is a place where I can download a replacement.

Regards,

Ron M

I just tried to upload the log file and it tells me I am not permitted to upload this kind of file - now what?

[jscher2000]

I just tried to upload the log file and it tells me I am not permitted to upload this kind of file - now what?

The board software only allows certain extensions. Try compressing the log file into a .zip archive and upload it in that format.

[Ron M]

The board software only allows certain extensions. Try compressing the log file into a .zip archive and upload it in that format.

So, JoeP and James S, I have done what J Scher suggested and the zipped version of the log file should be attached - Winzip 15.0 version. If either of you can figure anything out from this that will get my system up and running in normal time then, many, many, many thanks.

Ron May

[James S]

I too have had the same problems when analyzing the Hijackthis log. It is very detailed and takes a lot of time to check. You really have to go thru the entries one by one, those that you don't recognize or are questionable needs a search to determine if this process is valid or invalid. This log can point to major issues or very small one. I am not an expert on this and will not recommend any changes because of that, I don't want to give you advice on what I would do and then have it muck up your computer. At first glace you do seem to have a lot of stuff running in the background. How does your startup menuj look? I have always believed its best to be very lean on all my services, whether they be startup or background. I run malwarebytes and a few other programs often but manually. The only thing I do use other than my anti-virus in the background is WinPatrol, http://www.winpatrol.com/. Its a very small program but will notify you of any changes to your system, notabaly your registry. I see a lot of file missing's at the end of your log, not sure what that is about. In the past I have had issues with my log too and not being an expert I have used this: http://www.techsupportforum.com/forums/ Its free to join and they do a lot of hijackthis log files. I hate to not give you a better answer but its not my computer so.................

One question I wondered about is have you thought about just saving whats important, flash drives are cheap and easy, and then doing a complete reinstall of your system? Often when things get so mucked up its better to just start from scratch. Good luck

[Ron M]

I too have had the same problems when analyzing the Hijackthis log. It is very detailed and takes a lot of time to check. You really have to go thru the entries one by one, those that you don't recognize or are questionable needs a search to determine if this process is valid or invalid. This log can point to major issues or very small one. I am not an expert on this and will not recommend any changes because of that, I don't want to give you advice on what I would do and then have it muck up your computer. At first glace you do seem to have a lot of stuff running in the background. How does your startup menuj look? I have always believed its best to be very lean on all my services, whether they be startup or background. I run malwarebytes and a few other programs often but manually. The only thing I do use other than my anti-virus in the background is WinPatrol, http://www.winpatrol.com/. Its a very small program but will notify you of any changes to your system, notabaly your registry. I see a lot of file missing's at the end of your log, not sure what that is about. In the past I have had issues with my log too and not being an expert I have used this: http://www.techsupportforum.com/forums/ Its free to join and they do a lot of hijackthis log files. I hate to not give you a better answer but its not my computer so.................

One question I wondered about is have you thought about just saving whats important, flash drives are cheap and easy, and then doing a complete reinstall of your system? Often when things get so mucked up its better to just start from scratch. Good luck

James S, thanks for your reply. I sincerely appreciate your sentiment about not wanting to muck up my computer...in your shoes I would feel the same way. I just reel at the immensity of checking everyone of those entires by hand...maybe a few a day...small bites so to speak, will be what I have to do. Interested in your comment about "you do seem to have a lot of stuff running in the background"...not being a techie, I really would not know this sort of thing, but I guess it is something to check on. I will also look into the WinPatrol program that you have suggested., although I have now implemented Spyware Doctor to run beside my anti-virus, and it has detected a few things since implementation and I try to run a scan at least once a day.

I put the clock on it this morning when I booted up and it takes about 4 minutes for my screen to come up from the time I enter my password and the time that the screen wallpaper shows up with the Taskbar and the application icons - it takes about another minute for other things to kick in...the thing is that the computer appears to be doing "something" while all this (whatever "this" is) is going on and then the wallpaper, Taskbar and icons appear - go figure.

Yes, I have given some thought to backing up everything and just starting over, but the enormity of that task is overwhelming for me at the moment...I am not sure whether I can just re-install Windows and even if I could, would that solve the probelm, probably not - I will look into the malwarebytes program you mentioned as well, and I will look up the "techsupportforum" you mentioned.

"I hate to not give you a better answer but its not my computer so................." - please don't worry about this...you and Joe have given me a lot of help so far and a lot to think about, so I owe you both a great deal of thanks for your help in working at solving this problem.

Kindest regards,

Ron M