Smitfraud, Yazzle, Vundo removal attempted but computer running extremely slowly.

[Simonss]

Hi,

Have a windows 2000 PC with all new updates.

Have followed the advice given in the sticky topics.

Have ran SB S&D, Adaware, AVG AntiSpyware, AVG Anti virus.
I have also ran the four tools listed in the sticky for
Smitfraud, Vundo, Virtumundo however I was unable to get the Look2Me tool to run.
(All the above has been ran in safe mode)

Problems include Smitfraud-C.Toolbar888, a Vundo infected dll. YazzleSoduko.

Computer runs at a snails pace in normal mode, fine when in safe mode. Results in scans taking a very long time in normal mode!

HJT Log attached

Any help would be VERY much appreciated

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.


If after reading the above you decide you want to clean your system, do the following.


Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of Simonss only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Simonss]

avg spyware log

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

internat.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Simon1\Desktop\vundofix.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudioClient-5.1.0\bin\ZendIEToolbar.dll/DebugCurrent.html

O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudioClient-5.1.0\bin\ZendIEToolbar.dll/DebugNext.html

O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL

O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL

O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab

O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.asda-photo.co.uk/wpp/asda/app/opcuploader.cab

O16 - DPF: {E4F2B0F2-AE18-4254-9167-A8EE66E55A6F} (VivioAX Control 3.4) - https://www.cs.tcd.ie/Jeremy.Jones/vivio/vivioAX.cab

Click on the fix checked button.

Close HJT.

I need some info on the location of internat.exe. This file can be good or bad depending on it`s whereabouts on your system.

Locate this file and tell me the full directory path. internat.exe Do not delete it.

Post a fresh HJT log as well as the info on internat.exe

Regards Howard

This thread is for the use of Simonss only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Simonss]

internat.exe seems to be a legitamate file.

I have two copies of the file both created on same date and same size (20.2kb, Jan 1999)
Locations are:
C:\WINNT\system32\dllcache
C:\WINNT\system32\

new HJT log attached - kept one item - Account Tracking Manager as I know this is real and not causing problems.

 

[howard_hopkinso]

Ok, thanks for the info.

Your HJT log is clean.

Run the CCleaner programme as per these instructions.

Download the Ccleaner programme from HERE.

Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs. Click the run cleaner button with no browsers open. Do this several times. once done, you should be good to go.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Simonss only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Simonss]

Computer is still running extremely slowly. Scans are taking hours to complete and in some cases not completing at all.

Thinking this might be related to Trojan Lop.AS. I was infected with this but managed to remove it during the "preliminary removal instructions process". It has not reappeared since however with my HJT logs clean I dont know what else could be causing this.

Looking in task manager doesn't show any application hogging 100% CPU even when the PC is running very slowly.

Any suggestions would be appreciated.

 

[howard_hopkinso]

Download the following three files ( rmparite.exe, rmparite.nt, rmparite.dos) and run the rmparite.exe file.

You can also specify the disks (or partitions) to heal as a command parameters, e.g.: "rmparite C: D:". If the command is used without parameters, it heals all disks (partitions) on computer.

Note:
Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmparite.nt and rmparite.dos into the same folder as rmparite.exe. After the healing process please run the AVG Complete Test to make sure your computer is virus-free.

Then, do the following.

Download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the content of that file and paste it here in your reply.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer
Messneger Plus
Uninstall any other entries you don`t recognise.

Let me know if any of the above helps.

Regards Howard

This thread is for the use of Simonss only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Simonss]

Based on what I have read elsewhere etc I have done some more scans but still can't seem to find any reason why my computer is still running at a snails pace.

ran in safe mode - normal mode takes hours to scan

NoLop.exe found nothing
rmpartite.exe found nothing i think - no log file then automatically closed.
smitfraud fix found nothing
vundofix found nothing
virtumundo found nothing
look to me could not be ran
spybot S&D found hotsearchbar.
adaware found nothing
avg antispyware found nothing serious (see log)
ran cc cleaner a number of times
ran diskeeper 10 twice and did a boot time defrag.

Still not joy, comp runs like a dog in normal mode.

Ran the above findlop.bat file and the result was:

[TRACE] Enumerating jobs and queues

 

[howard_hopkinso]

Try temporarily uninstalling Diskeeper as there is an entry in your HJT log for the Windows defragger. This may be slowing your system down.

Let me know the results and post a fresh HJT log.

Regards Howard

EDIT: Also try this.

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin in it.

If OIN not listed, download and run this uninstaller.


This thread is for the use of Simonss only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.