Infected PC - Logs attached

Welcome to Major Geeks!

Run Hitman Pro again and this time allow it to fix all the Malware and Potential Unwanted Programs that it found. Then reboot immediately.

After reboot, run a new scan with Hitman Pro and attach the new log. Also tell me how things are running.

You also need to run MSconfig and put this PC into Normal Startup mode. MSconfig should not bet used as a long term startup manager. See the below:

Dealing with Startup Process

 

No! The log shows you did not fix the potentially unwanted programs as I requested. This junk will slow a PC down.

3 GB total would be better.

It should never have been off yet. It should only be toggle off and then back on after ALL malware has been removed. It is a safety net just in case things go wrong.

 

Okay that looks better.

Now let's run one more tool which may cleanup some more junk.

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Also make sure that you tell me how things are working!!

 

Please reply to the last sentence in my last message.

 

You're welcome. Okay we have a few more things to do to cleanup some garbage. Please follow the instructions below in the order written.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select any of the following lines that still exist ( many or all may already be gone ) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb185?a=6Oz0V2olFN&i=26
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI9130~1\Datamngr\BROWSE~1.DLL
O2 - BHO: Wincore Mediabar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - (no file)
O3 - Toolbar: (no name) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - (no file)
O3 - Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKUS\S-1-5-21-215359398-1740733606-1048663472-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Kids')

After clicking Fix, exit HJT.


Please download OTM by Old Timer and save it to your Desktop.

• Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Documents and Settings\Andre\liyawkpaqp.tmp
C:\Documents and Settings\Andre\Application Data\Strongvault
C:\Program Files\PersonalAV
C:\Program Files\BEARSH~1
C:\Program Files\Ask.com
C:\Documents and Settings\Andre\Application Data\Allmyapps
C:\Documents and Settings\Andre\Application Data\Bloson
c:\windows\system32\hobokuzu.dll
C:\WINDOWS\\system32\wegeyivi.dll
C:\WINDOWS\Tasks\ParetoLogic Update Version3.job
C:\WINDOWS\Tasks\ParetoLogic Registration3.job
C:\WINDOWS\Tasks\ParetoLogic Update Version3 Startup Task.job
C:\WINDOWS\Tasks\ProgramUpdateCheck.job
C:\WINDOWS\Tasks\ProgramRefresh-ATFST.job
C:\WINDOWS\Temp\*.*
C:\Documents and Settings\Andre\Local Settings\Temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Allmyapps Update]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Allmyapps]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BlosonAddonUpdater]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DATAMNGR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CPM57c5e42d]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CreateCD_Reminder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PersonalAV]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\suwemosule]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VAIOSurvey]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2430}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run MSconfig and select Norma Startup Mode!!! Do this now before continuing and and then reboot your PC to have it take effect.

After reboot, contine.

You have multiple antivirus program installed. Your logs show:

avast! Free Antivirus
Norton AntiSpam
Norton Internet Security

You need to either uninstall all of the Norton items or you need to uninstall Avast. Do this now and then move on to the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I will give you steps to remove anything that I still see in the new logs.

Yes and I already deleted ( in the last fix ) a bunch more that would have loaded. You did not need any of the ones I delete and some were malware/junkware. I can give you more to permanently delete from startup if you want. You even have tasks running that you don't really need. This is not malware, it is just unnecessary stuff that the end user has allowed to be installed an setup.

Examples of what I would do.

You can uninstall Hitman Pro because we are finished with it.

I would delete the below tasks

Code:

"C:\WINDOWS\Tasks\"
adobef~1.job  Feb 25 2013         830  "Adobe Flash Player Updater.job"
apples~1.job  Feb 22 2013         284  "AppleSoftwareUpdate.job"
google~1.job  Feb 22 2013         882  "GoogleUpdateTaskMachineCore.job"
google~2.job  Feb 22 2013         884  "GoogleUpdateTaskMachineUA.job"
hpusgd~1.job  Feb 25 2013         342  "HP Usg Daily.job"

I would stop and disable the below services but be sure that the user does not need the Seagate Service. I delete those stupid/unnecessary and unwanted Google Services on all my PCs.

I would permanently stop the below from running at startup. Exclude the Seagate item if automatic backups are being used and this process is really needed to load for them to work.

Did the owner install and do they use File Type Assistant ? If not, uninstall it.


Note per your last logs, you did not get the below fixed:

O3 - Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

All browsers must be closed and protection software disabled before fixing.


Now let's remove the items from Norton that remained in the logs.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

After clicking Fix, exit HJT.




Run OTM.exe by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).

• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\$AVG8.VAULT$
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
 
:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"URLLSTCK.exe"=-
"IS CfgWiz"=-
"ccApp"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3B29A786-5803-4e9e-9B58-3014A5B4E519}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{449F3A9E-9903-4a0d-A209-08030D45A935}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5677563D-0CB1-485f-9E18-C5025306BB3F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"!{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Open Windows Explorer and navigate to that folder. Locate the files and right click on them and select delete.

See the link I previously gave you >>
Dealing with Startup Process I suggest AutoRuns.

Please fnish the rest of my last instructions.

 

I'm sorry but Windows Explorer is something that has been around since Windows has first been released. It is the file manager for Windows. You can find dozens of links to it on the Internet via Google or any other search tool. There are many ways to open up Windows Explorer. One example, hold down the Windows Logo key while pressing the "e" key.

And the AutoRuns program is in that link I gave. Try running it. If you can run HijackThis, you can run AutoRuns which is a startup manager. HijackThis is not a startup manager.

Also we are not at a point of removing malware. You are asking for help related to things that should really be discussed in the Software Forum. I was just trying to point you in the right direction since you were complaining about slow startup and this is not a malware issue. Also I cannot be the one who decides what from these items your friend runs or needs to run. I gave my recommendation but that does not mean that your friend does not need them or want them. That is something you need to figure out along with your friend.

 

Not "delete". You disable them from loading at startup by unchecking it. That gives you the ability to reenable them if later you find that you want or need any of them to run at startup.