Irony: was better B4 I removed malware (LOL?)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Miss Leigh, Oct 12, 2013.

  1. Miss Leigh

    Miss Leigh Private E-2

    Hello!

    OS: Vista home basic (have tried twice to download Service Pack 1 and both times it has gone through the whole rigmarole and then FAILED. Ugh.). Chrome browser.

    I moved out of NYC to the boondocks. So, I am on dialup at home, and borrow WiFi at McDonald's & wherever else I can get it.

    Was on WiFi last week and spending too much time "Resolving Host." Everything started with the long "resolving host" wait times.

    Checked Chrome Extensions and found that three misspelled versions of something similar to "download keeper" had inserted extensions onto my Chrome (looking like "DoWnLoAd keeepEUR" or something like that, three different variations--since deleted). Also, an IP had been inserted in my hosts file, also immediately deleted.

    Deleting those weird Extensions and cleaning up the Hosts file helped, but not entirely. So I read about disabling IPv6, and inserted FFFFFFFF into the appropriate place in the registry, which did not speed up my connection at all: still "resolving host" problems and unusually slow (now on dialup this week, and yes, dialup is slow, but, not like this).

    So, yesterday connected to WiFi at the local library to go through the malware removal process recommended by majorgeeks (did it once before on this PC in 2010, and on a previous machine in 2006), and a few things were found yesterday--but I had to re-create my dial-up connection today after booting up the PC again--and the PC is slower than ever, not just the phone connection, but the activity of the PC all 'round.

    Even after running the malware removal programs, I've found more than a few instances of this "dOwNlOaD keeePEUr" thingamajig (misspelled any number of different ways) still in the registry. I had downloaded free DivX software which I have since uninstalled; I don't know if that's what brought in the other stuff?

    Now what? I saved the logs; I will go dig them up if they would help? Or is there another process I should run in addition, or instead?

    Thank you so much!!!

    - Miss Leigh
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes please! :) Without those, I'm about as much use to you as an ashtray on a motorbike.
     
  3. Miss Leigh

    Miss Leigh Private E-2

    Wow ... this is going to take some thought. I'm not sure that an ashtray on a motorbike is so useless; in fact, it may be a marketable idea. Wow ... and it's been so long since I've had a cigarette ... While I'm contemplating this koan of yours, I'll figure out how to attach those things and will get them to you in my next message. Wow ... ;)
     
  4. Miss Leigh

    Miss Leigh Private E-2

    So I guess I have to send multiple replies, because I'm only allowed to append five files, and I've already done so. Malwarebytes is still installed and regularly running scans, so I've attached both the ones I did originally on 10/12 and then the ones that it did spontaneously yesterday 10/13--gee, wait, today is 10/13... so it must've done those while I was reading my email.

    OK--more to come.
     

    Attached Files:

  5. Miss Leigh

    Miss Leigh Private E-2

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You did indeed, and I am sorry to hear you're not feeling the best.

    Please re run Hitman and have it delete Potential Unwanted Programs.

    Delee this:
    C:\Users\God\AppData\Roaming\SearchProtect

    Now explain how things are running.
     
  7. Miss Leigh

    Miss Leigh Private E-2

    I deleted that "searchprotect" thing as you suggested. I ran hitman and am attaching the log, because it only came up with some stuff that it suggested I could ignore, so I'm not sure what to do? Just nuke it all?

    Now, what about these appearances of dOwNlOaD KeEePeUr (and variations) in the registry? Can I just manually delete them all without worrying I will harm the PC? Why aren't the anti-malware programs picking up this nonsense?
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you indeed let Hitman fix all those entries it found under the heading Potential Unwanted Programs? The log you attached does not specifically show "deleted".

    It also detects a proxy server. Are you purposely set up to use one?

    Finally, these reg entries you mention... you can just delete them if you wish. The download Keeper ones. Are you comfortable doing this?
     
  9. Miss Leigh

    Miss Leigh Private E-2

    << Did you indeed let Hitman fix all those entries it found under the heading Potential Unwanted Programs? The log you attached does not specifically show "deleted". >>

    No, I didn't, because I didn't recognize them as "Potential Unwanted Programs" per se, they just looked like a lot of random garbage, not actually programs. I will go ahead and delete the random garbage.

    <<It also detects a proxy server. Are you purposely set up to use one?>>

    Uh, no. I haven't used a proxy server since I was on dialup at my last address several years ago. Via that proxy server I invited some malware onto this very same laptop courtesy of AT&T's free "Accelerator." $15.95/month for lousy dialup from AT&T, but as a bonus you get lousy malware for free! Yippee!!! I guess I didn't remove all traces?

    <<Finally, these reg entries you mention... you can just delete them if you wish. The download Keeper ones. Are you comfortable doing this?>>

    As long as I can manually search and delete those weirdo entries without wreaking havoc on my laptop, fine. I went to town cleaning out the registry in my previous laptop and I'm not sure it was all good.

    I'm still getting "resolving host" issues and was just kicked off the WiFi without explanation and had to log off and log back on to get back on WiFi. For some reason, the diagnosing service refuses to work, but maybe that's just Microsoft's way of keeping in touch, with another random annoyance.

    I will run Hitman and let you know the upshot.
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, run Hitman and have it clean the garbage and the proxy entry.
    Then we can discuss the download keeper reg entries.
     
  11. Miss Leigh

    Miss Leigh Private E-2

    OK - cleaned the garbage and the proxy entry, and manually deleted all the references I could find to DoWnLoAd KeEePeUr (or whatever). I did find two entries and took screen shots, which I attach, because I don't know what to do with them, I didn't touch them, but I used PAINT to put circles around the odd elements, and await your suggestion.

    Saw that WinZip offers a system performance scan, and it claimed to dredge up more useless registry entries, but when I asked WinZip to fix, it asked me to buy more software, so I declined. I ran HitMan again, and it says I have a clean system. ???

    That being said, I'm still getting "resolving host" problems. If I have no malware at this point, then there must be another solution??? I would like to remove ALL bloatware of any sort from my PC, and I would like to know why my two attempts to update my Vista with Service Pack 1 failed both times, so I can't even get to service pack 2, so I can't upgrade my IE (not that I use it, but it's handy once in a while to have an alternate browser). Harumph!

    Which forum should I head to now? :-/
     

    Attached Files:

  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, I agree that posting in the software forum is next on your list. :) You can ask about that reg entry there too. It seems to be related to download keeper but you can check with the guys in software to verify.
     
  13. Miss Leigh

    Miss Leigh Private E-2

    OK - so I clicked on "thanks" and hopefully the number of times you have been thanked will increase proportionately (I guess that means by 1). Sending a hug, too, just because that's the sort of thing I do. Also just want to comment on your tagline, "The truth is, everyone is going to hurt you. You just got to find the ones worth suffering for": similar to your comment about being as useful as an ashtray on a motorbike (which I still say might in fact be useful, so long as it has a cover), every time I've read this remark about choosing for whom you suffer, I have to think twice. It really is like a Zen koan, IMHO, insofar as it presents a proposition which cannot necessarily be solved. And because I like to think (far too much), I thank you! ;-) Now, off to software! Cheerio!
     
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thanksyou. :) *sends you a hug straight back*

    roflmao I'm going to have to start thinking about this seriously.

    wow, that is quite deep. :)
    You really are most welcome. Safe surfing!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
  15. Miss Leigh

    Miss Leigh Private E-2

    Worse than EVAH! :cry

    Cannot remember which process found what, but I'm attaching whatever logs are dated today. Horrid! How did I pick up more malware after I just went through nuking all the malware on my system?

    What is this thing with Chrome that it is allowing malware to exploit some vulnerability in its new version?

    Keep finding this in chrome browser history:

    chrome-search://local-ntp/local-ntp.html

    WTF is THAT? That was in the history at the very time my status showed my dialup connection working at full speed and Chrome started telling me it could not access the network.

    Things weren't peachy this morning, but then at some point this afternoon, I tried to access a webpage and I got a blank page saying the network isn't accessible right now. Nonetheless, my dial-up status window showed the connection sending and receiving at top speed. Kept trying to access the Internet via both Chrome and Internet Explorer (version 7 because I have been unable to install Vista Service Pack 1 so I could upgrade to version 8 or 9--have tried twice to install SP1 & failed twice after more than an hour of boring wait-time) and failing, so I disconnected dial-up. Dickens of a time getting reconnected. Even the times where I was successfully able to dial in and status showed connected but inactive, still could not access the network.

    My connection kept going to IPv4 Local IPv6 Limited. This local business drives me nuts; and why IPv6 even shows as Limited IDK because I went in the Registry and supposedly disabled it? And ultimately, IPv4 goes from Limited to Internet to Local to dead within minutes.

    Why I've been able to get on at this moment I've no idea? IDK, other than having run a bunch of scans again. I wish I could remember which one found what. Will attach more with next message. :confused

    HALP! :(
     

    Attached Files:

  16. Miss Leigh

    Miss Leigh Private E-2

    zip file
     

    Attached Files:

  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'm sorry Miss leigh but I am not seeing any malware in those logs.

    You definately need to post in the software forum. :)
     
  18. Miss Leigh

    Miss Leigh Private E-2

    Dear Falcon-Lady: :)

    I have a NEW problem! TaDA! It's always something...

    I picked up these annoying tracking cookies, statse.webtrendslive.com and m.webtrends.com. I blocked them and deleted them, but still having lots of problems with "resolving host" and "this webpage is not available." So I went through MajorGeeks SOP for removing malware. Only RogueKiller found some stuff--first scan, it found one "PUM"; when I came back to get rid of that thing after going through all the other scanning software (which found nothing at all), on re-scan it picked up about six "PUM" 's (whatever those are?). I deleted those. (Attaching 5 of 6 RK logs FWIW? If you want that sixth one, too, I'll send it along?).

    I turned UAC back on, but I CANNOT TURN ON MY FIREWALL!

    In fact, I never turned off my firewall. But now it won't turn itself on, and I can't turn it on manually. It says the Firewall is not set to Windows recommended settings, but it won't fix the settings, because it isn't on and won't turn itself on when I tell it to. Windows tells me to look at the Event Viewer Log to find out WHY I can't turn on Windows Firewall, but when I try to look at the Event Viewer, that service isn't started, and won't start no matter what I do (I tried standing on my head and sticking my tongue out, but it still refused LOL). Might as well throw in that Windows Diagnostic Policy Service (or some such thing) also refuses to start.

    NOW WHAT??? :cry

    -- would throw PC out the window if I weren't so addicted to it
     

    Attached Files:

  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You should not be fixing things on your own with RogueKiller!

    As I previously explained, I think you would be alot better off posting in the software forum. However, let me just ask, when you open up services, is the Windows Firewall service listed? If so, let me know it's status and start up type. When you try to start it (if you see it) do you get any errors at all?
     
  20. Miss Leigh

    Miss Leigh Private E-2

    Whoops re RogueKiller--just wanted to demonstrate due diligence. Have posted in software forum, but the Firewall not working, nor the Diagnostic Policy service, nor something else that the Firewall depends on, is worrisome in a "WTF-got-into-my-PC?" kind of way.

    What I've done is taken screenshots of each dialogue box and error message so you know what is happening. At first I had the Firewall set on "I will monitor this myself" (or whatever the exact lingo is), because when the firewall stopped working, I fooled around clicking on different links and ended up with that setting--and couldn't figure out how to restore the setting for using Windows Firewall. In the end, I restored the setting telling Windows to use its own Firewall, but it made no difference. The firewall still won't start, and you can see all the error messages I got from the attached (in two messages) 8 JPEG screenshots.
     

    Attached Files:

  21. Miss Leigh

    Miss Leigh Private E-2

    Last 4 files - so there are a total of 9 screenshots to tell the story, not 8 as I had previously said. :-/
     

    Attached Files:

  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  23. Miss Leigh

    Miss Leigh Private E-2

    Ms. Kestrel:

    I *JUST* fixed my firewall problem by doing a system restore from the restore point (11/2) just prior to when I so-called "fixed" so-called "PUM" s detected by RogueKiller (11/5)--as you warned me NEVER to do, except not until AFTER I'd done the dirty deed--ALAS! NOTHING ELSE helped restore my firewall, no article could pinpoint the problem, no MicroSoft FixIt widget, NOTHING could remedy the problem. Whatever RogueKiller removed has now been restored, along with the functionality of my firewall (phew!), and if it would help refine someone's understanding of firewall problems as well as potential problems with RogueKiller, I will re-do the RK scan and turn over the log to you for examination WITHOUT DOING ANY FIXES. Let me know if that would be helpful?

    Miss Leigh ;)
     
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Glad you're all sorted. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds