1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malware problem?: problems with windows7 starter

Discussion in 'Malware Removal' started by ChemMD, Apr 9, 2013.

  1. ChemMD

    ChemMD Private E-2

    I started having problems with my notebook earlier this afternoon. First, I could NOT find the usual button for internet access on the right side of the horizontal bar on my desktop. When I look for it under Networks it is labeled as unknown. Second, Microsoft Outlook stops working when I start it. I first discovered this when I rebooted under Safe Mode to find out if this corrects the problem. Third, I get a warning message to a) Turn on Windows Firewall, and b) Change Windows Update settings. Clicking on these do NOT correct the problem, ie, Windows Firewall remains off and Windows Update setting are NOT changed.
     

    Attached Files:

  2. ChemMD

    ChemMD Private E-2

    Hello to all! I tried to fix my problem by restoring my system to an earlier restore point, but I got an error message. "The specified object was not found. (0x80042308)" It also tells me no changes were made, and that I should try system restore again.

    I checked the Microsoft Community forums for a similar problem. They suggested to troubleshoot as follows: disable antivirus, place the computer in clean boot state, and try to create a restore point. Creating a restore point was unsuccessful, and I got the same error message above. BTW, i undid the temporary changes recommended.

    What should I do next to solve my continuing problem?
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below proxy server setting something you installed?

    [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (182.18.209.6:3128) -> FOUND

    Also one more question, did you install Check Point VPN
     
    Last edited: Apr 13, 2013
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Only fix the proxy server entry below if it is not something you installed.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blekko.com/ws/?source=5f97ddbe&tbp=homepage&u=6c6aa03700000000000054d4c0b44710
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 182.18.209.6:3128
    R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
    O2 - BHO: Blekko Search Bar Helper Object - {BAE35237-8D73-44D0-905C-8A95EA1E7E69} - C:\Program Files\blekko\spamfreesearch\1.8.3.9\bh\spamfreesearch.dll
    O3 - Toolbar: Blekko Search Bar Toolbar - {EECF410C-006C-4A05-AD13-6741A0814DBF} - C:\Program Files\blekko\spamfreesearch\1.8.3.9\spamfreesearchTlbr.dll
    O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\SEARCH~1\Datamngr\DATAMN~1.EXE
    O20 - AppInit_DLLs: C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~1\SEARCH~1\Datamngr\IEBHO.dll

    After clicking Fix, exit HJT.

    Now uninstall the below programs
    Blekko Search Bar
    iLivid
    Search-Results Toolbar

    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\Program Files\SEARCH~1
    C:\Program Files\blekko
    C:\Windows\Temp\*.*
    C:\Users\Inocencio Alejandro\AppData\Local\Temp\*.*
     
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "DATAMNGR"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iLivid]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilividtoolbarguid]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
    "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
    "DefaultScope"="{67A2568C-7A0A-4EED-AECC-B5405DE63B64}"
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A4705A98-123C-4F53-8742-1D43275C867A}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAE35237-8D73-44D0-905C-8A95EA1E7E69}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{EECF410C-006C-4A05-AD13-6741A0814DBF}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
    "Tabs"="res://ieframe.dll/tabswelcome.htm"
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.txt log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. ChemMD

    ChemMD Private E-2

    Is the below proxy server setting something you installed?

    [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (182.18.209.6:3128) -> FOUND

    Also one more question, did you install Check Point VPN
    __________________

    I saw this earlier message after I read and started implementing your suggestions on what to do. On the first point, I am unsure. It may be my web service provider settings but I already removed it as recommended in your second post. On the second question, I did NOT install that. Thanks. Will let you know how to things work out after I finish all the steps in your second post.

    Thanks a lot!
     
  6. ChemMD

    ChemMD Private E-2

    The problems persist: the error message on failing to connect with windows service; "the dependency service or group failed to start." when I click on the icon for my internet connection; "Action Center can't turn on Windows Firewall."; and "Microsoft Outlook has stopped working" when I try to open Microsoft Outlook. I also noticed for the first time two hidden files on my desktop named desktop.ini. I changed the view options to NOT show the hidden files.

    I followed all the steps indicated in your post. Here are my notes on what happened as I followed the steps...
    At the point "Now unistall the below programs"... I uninstalled the programs using Control Panel/Programs and Features/Unistall or Change a Program

    I followed the steps from "Please download OTM" up to "Now click the large Move It! button"... at this point I got the below error message...
    OTM:OTM.exe - Bad Image C:\User\Inocencio Alejandro\AppData\Local\Temp\yplazprv.dll is either not designed to run on Windows or it contains an error. Try installing the progam again using the original installation media or contact your system administrator or the software vendor for support.

    The computer automatically went into reboot after giving me a message on OTM that it was successful.

    There were NO problems in the Junkware Removal Tool steps and the MGtools step.
     

    Attached Files:

  7. ChemMD

    ChemMD Private E-2

    YES (this is the CORRECT ANSWER, please ignore my earlier response. Sorry about that. I checked my info)
     
  8. ChemMD

    ChemMD Private E-2

    Just an update. Microsoft Outlook is now working. I think it may be due to Microsoft Windows update that happened while I was following help from Microsoft forums. The Internet connection icon on the taskbar still has an X, and Windows Firewall still can not be turned on.

    I have also downloaded and installed the drivers for the chipset, wireless and the WLAN from the PC manufacturer's website. This has not corrected the Code 31 error in Device Manager/Network Adapters.

    Hope to hear about suggestions to move forward in solving these. Thanks!
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  10. ChemMD

    ChemMD Private E-2

    Thanks! Will start work on this right away and let you know what happens.
     
  11. ChemMD

    ChemMD Private E-2

    When I did this Windows Repair started repairs as seen in Log tab, but I got this error message... Execute processes remotely has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solutions is available....

    I pressed Close Program and the program continued work. This happened several time. It then automatically stopped, but did NOT restart the computer. I restarted the computer and proceeded with the next steps.
     
  12. ChemMD

    ChemMD Private E-2

    Here's the MGLogs.zip after running MGTools.bat... The error messages still persist: X on Network icon, turn on windows firewall. A new one on Update Windows Defender also appeared. Thanks for continuing to help.
     

    Attached Files:

    Last edited: Apr 20, 2013
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Windows Repair did not run properly. Please boot into safe boot mode and run it there. Then reboot back into normal mode and attach another new MGlogs.zip file after running C:\MGtools\GetLogs.bat again. ​
     
  14. ChemMD

    ChemMD Private E-2

    Thanks for the next step. Windows Repair ran without a hitch, but I did notice while watching that a few of the permissions failed on the popup screen. I still have the red X on the Network icon, and the error message on updating Windows Defender.

    Here are the new logs. Will wait for the next step :)
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on your logs, no network interface card is showing up. You will most likely have to reinstall the drivers for your network card. Another thing that may work could be to delete the hardware using Windows Device Manager but do not allow it to delete any files. The reboot. It should automatically redetect the hardware and possibly reinstall and repair the connection.
     
  16. ChemMD

    ChemMD Private E-2

    Thanks for the possible next steps. I do NOT know how to do the 2nd option: "delete hardware using Windows Device Manager.."

    When I checked Device Manager to reinstall the drivers for network card, I saw an error icon that looks like a yellow triangle with an ! mark in the middle for several items: one item marked Unknown Device in Other Devices, and eleven (11) items in Network Adapters. The eleven items are: Reatek PCIe FE Family Controller, Realtek RTL8188CE Wireless LAN 802.11n COMBO PCI-E NIC, Teredo Tunneling Pseudo-Interface, WAN Miniport (IKEv2), WAN Miniport (IP), WAN Miniport (IPv6), WAN Miniport (L2TP), WAN Miniport (Network Monitor), WAN Miniport (PPPOE), WAN Miniport (PPTP), and WAN Miniport (SSTP).

    The Device Status on NIC reads: "This device is not working properly because Windows cannot load the drivers requested for this device. (Code 31)"

    The Device Status on Unknown Device reads: "The drivers for this device are not installed. (Code 28) There is no driver selected for the device information set or element. To find a driver for this device, click Update Driver."

    I tried to reinstall the NIC as you recommended by Uninstalling the Driver and then Scan for Driver Changes. The error message was "Device driver software was not successfully installed."

    Thinking that the Unknown Device is the Network Interface Card, I tried to uninstall it, reboot, then scan for hardware changes. The Other Devices icon is no longer there, but the yellow error marks are still the same under Network Adapters.

    Encouraged by this, I proceeded to uninstall NIC and got the error message (Code 1) under the Device Status. I found the NIC driver from the Lenovo site and installed it. The computer said it was installed successfully and to reboot which I did. When I checked Network Adapters in Device Manager, I saw the same yellow error mark in the NIC as well as the others mentioned above. I tried Update Driver in NIC, and got "The best driver software for your device is already installed."

    BTW, when i check ipconfig /all the information i get is just Windows IP Configuration. Host Name and Primary Dns suffix is blank. Mode type is Hybrid, and NO for both IP Routing Enabled and WINS Proxy Enabled. Does this help?

    What do I do next? :) I am leaving in 12 hours for several days, but will be back 29-Apr morning (GMT+8). I can still do more work on this today in case you have a quick reply.

    Thanks a lot!
     
    Last edited: Apr 23, 2013
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not really. That is what you would expect with no NIC installed or working.

    I suggest that you post in the Networking Forum to see if you can get help repairing this. It is not a malware problem.
     
  18. ChemMD

    ChemMD Private E-2


    Thanks for your help! I will do that. Does this mean that my notebook is now free of malware? I uninstalled the antivirus to test whether program conflicts were causing the problems during malware removal, may I install one now?
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes.

    Yes. I'm going to give you final instructions now, but I'm not going to included the removal of System Restore points just in case you want to try using an old one ( if there are any. Your logs did not show any available.) in hopes it would fix the network interface.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    8. After doing the above, you should work thru the below link:
     
  20. ChemMD

    ChemMD Private E-2

    I tried System Restore before I asked help from this forum (and that did NOT work).




    1. I uninstalled this after running it the first time. Will re-install this and the antivirus software once I have regained internet access on my notebook computer.


      Done

      Done


      I failed to right-click to Run As Administrator, so I closed the popup window. When I checked the desktop and the C:\ folder MGTools-related folders are no longer there. Hope I did not mess anything up?


    I noticed that the first step was to work on Windows Update. I stopped here and will resume work once I have internet access on my notebook computer.

    I have posted on the Networking forum as you suggested. Waiting for a reply.

    Thanks again for your help.
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Should be okay.

    Okay! Hope all goes well.
     
  22. ChemMD

    ChemMD Private E-2

    Just an update. Microsoft Security Essentials found Worm:Win32/Gamarue.O on my notebook computer. Went ahead and installed one while waiting for help in a separate forum here on my networking problem. I proceeded to remove it using MSE, and also ran a quick scan using Malwarebytes' Anti-Malware. That turned out no new threats. I am running a full MSE scan now on recommendation of the Microsoft site. Will update you later if any threat is found.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since you had not fully completed my final instructions, this may have just been left overs from what we already cleaned up. It may have been in quarantines or system restore ( yet to be toggled ).

    Tell me exactly where it found this. Like what folder/file names. What registry key..etc.
     
  24. ChemMD

    ChemMD Private E-2

    Hi, thanks for your reply. I do not have the details you ask. These were not available when Microsoft Security Essentials when it "found" the Worm, neither do I find it now in History tab for MSE.

    MSE did NOT find any new problems on full scan. I guess I don't have to look further for malware problems, do I?

    Still waiting for a response from Networking forum. I went back to work on post-malware removal instructions. It turns out I already have Service Pack 1 of Windows 7. I just need to run Windows Updates when I get back my network connections working.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Most likely it was just what we already quarantine because this is the name MS gives to some of the items we already fixed.

    No.

    I suggest that you finished the rest of my instructions that do not require a network connection. This way at least you have finished the cleanup and have removed all leftovers.
     
  26. ChemMD

    ChemMD Private E-2

    Thanks for your response. While waiting I went ahead and removed ALL security software that I can find installed (including MAM), tried to System Restore to an earlier automatic restore point. That did NOT work. Then tried to System Restore in safe mode (risky, I know). It WORKED! Writing this reply now using my notebook's internet connection. Will go ahead with the last steps you named here. Thanks a lot!
     
  27. ChemMD

    ChemMD Private E-2

    Hi again. It looks like my excitement was premature :( Am attaching logs from Step 4 of Vista & Windows 7 Malware Removal/Cleaning Procedure. Here is what happened.

    I followed the rest of your final instructions on this thread without any problems until the 8th step: How to Protect yourself from malware. I did the Windows Update without any problems. At the second step on installing an antivirus program, I noticed that my AVG free antivirus is back (I uninstalled this prior to the successful System Restore). There were two new error messages on the task bar: 1) on finding an antispyware online, and 2) turning on my antivirus program. When I clicked on the first, windows tells me that I have two programs - windows defender and AVG free - that are turned off. This leads to a sequence that is supposed to turn it on, but it does not. When I clicked on the second, nothing happens. I tried to uninstall AVG through the Control Panel but does not work either. I found and uninstalled web site advisors and search bars that were removed by our malware removal efforts earlier.

    Thinking that doing System Restore to an earlier point lead me back to an infected state, I followed Step 4 noted above and am attaching the logs. Hope this helps you figure out where I am now. Please note that I can not undo System Restore because I did it on Safe Mode. It was not possible using Normal Mode.
     

    Attached Files:

  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Correct. But this is still better than having no internet. When you first can here, your very first logs showed that your network interface was basically missing. Now you have the devices showing up and they work.

    Now we can reclean what we need to clean. I will probably get back to you late tonight on this with the next steps. In the meantime, please do not make any other changes at all to the system. The cleanup should be relatively easy.
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blekko.com/ws/?source=5f97ddbe&tbp=homepage&u=6c6aa03700000000000054d4c0b44710
    R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (file missing)
    O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (file missing)
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe

    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Services
    AVGIDSAgent 
    avgwd
     
    :Files
    C:\Users\Inocencio Alejandro\AppData\Roaming\Mozilla\Firefox\Profiles\0x3adhg8.default\extensions\ffxtlbr@funmoods.com
    C:\Users\Inocencio Alejandro\AppData\Roaming\DriverCure
    C:\Users\Inocencio Alejandro\AppData\Roaming\SpeedyPC Software
    C:\ProgramData\SpeedyPC Software
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
    C:\$AVG
    C:\Program Files\AVG
    C:\Users\Inocencio Alejandro\AppData\Local\iLivid
    C:\Program Files\SEARCH~1
    C:\Program Files\blekko
    C:\Windows\Temp\*.*
    C:\Users\Inocencio Alejandro\AppData\Local\Temp\*.*
     
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Funmoods]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_USERS\S-1-5-21-2792451099-2161147092-3411897261-1000\Software\Datamngr]
    [-HKEY_USERS\S-1-5-21-2792451099-2161147092-3411897261-1000\Software\DataMngr_Toolbar]
    [-HKEY_USERS\S-1-5-21-2792451099-2161147092-3411897261-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{241DBC8D-14E3-4240-8EE5-3AC35086B638}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6F8CBBFB-7986-4140-91EC-D8C7F1EC8DF3}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iLivid]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "DATAMNGR"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iLivid]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilividtoolbarguid]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
    "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
    "DefaultScope"="{67A2568C-7A0A-4EED-AECC-B5405DE63B64}"
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A4705A98-123C-4F53-8742-1D43275C867A}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAE35237-8D73-44D0-905C-8A95EA1E7E69}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{EECF410C-006C-4A05-AD13-6741A0814DBF}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
    "Tabs"="res://ieframe.dll/tabswelcome.htm"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "Check Point Endpoint Security"=-
    "AVG_UI"=-
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  30. ChemMD

    ChemMD Private E-2

    Thanks for the next step! I was able to run everything without a hitch but please note the deviations below.

    I stopped working on the notebook as soon as I got your quick reply. Unfortunately, I did make some some changes before then. I noticed two error messages about antivirus and antispyware. AVG won't start and can't be uninstalled. I found an AVG remover on this forum and used it successfully. Because I now have internet access without an antivirus I followed How to Protect yourself from malware on installing an antivirus and a firewall. I installed Microsoft Security Essentials and Comodo Personal Firewall. Because downloading slowed down noticeably with Comodo, I uninstalled it. It took more than an hour to uninstall and it was still going (HD LED light flickering). I went to bed and found it still shutting down when I woke in the morning. I used the notebook power switch to turn it off. Downloading became normal, and I have had no problem since.


    No problems here, except that blekko, search bar and AVG are no longer here. I uninstalled these from Control Panel/Programs when I was trying to uninstall AVG.


    No deviations here. I have a stupid question: I noted references to AVG here. Will that be problem since I have uninstalled it earlier?

    A second question: the desktop shows hidden files now. I noticed two files with different dates named desktop.ini... In My Documents folder I notice that there are a few files that have both the actual file and a shortcut to the file. Is this a problem?

    No problems nor deviations in the rest of the steps. The logs are attached. Really appreciate your help.
     

    Attached Files:

  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    For future reference, and this is stated right at the early sections of the READ & RUN ME, once you start working our procedures, you should only be doing what we ask you to do and nothing else until we finish.

    Your logs are clean. Are you having any malware problems? The desktop.ini files are normal
     
  32. ChemMD

    ChemMD Private E-2

    I understand. Next time I will let you know of any deviations BEFORE acting on them. Thanks for your help.


    That is good to hear. No, I have not noticed any traces of the problems I described when we first started, including the error messages in Device Manager/Network Adapters.

    If I understand your sticky notes and your previous responses on this thread, I need to give this a few days to monitor for malware problems and then do the post-malware removal steps. Which do I follow - the one with toggling System Restore or the one in this thread without it?

    I am also now ready to backup my files on an external hard drive. When should I do that in the post-malware removal steps? and how often should I backup after this?

    Thanks again for your help!
     
  33. ChemMD

    ChemMD Private E-2

    Problems again :-( Since you told me do as much as I can of the post-malware removal steps, I went ahead down the list. Defogger does not need to be uninstalled because it was already uninstalled earlier. Hijack This is NOT in the list of programs in Control Panel/Programs. I enabled UAC and ran MGClean.bat as instructed. I deleted c:\MGTools folder because it was still there. I then proceeded with How to Protect yourself from malware.

    Windows is up-to-date. Microsoft Security Essentials is up-to-date and working. I hesitated on the firewall because of my problems earlier in this thread, so I used some of the tests suggested. My windows firewall failed in the comodo test and the auditmypc test. I downloaded and installed Comodo Personal Firewall. When I restarted the computer as instructed after the install, I got this error message: "C:\PROGRA~1\cnosd\cnosd.exe This operation returned because the timeout period expired." Comodo personal firewall seems to be running because the color was green.

    The second problem was that Google Chrome froze while trying to log on to your site. I waited for a while, then I timed while waiting for two minutes, then turned the computer off using the power switch. I am now writing this message in the computer using Safe Mode with Networking. Will try to get online after this using Normal Mode. Will edit this message if I am able to do so.

    NOTE: I was able to get back in Normal Mode, get online without a hitch. Comodo Personal Firewall is a green. Will stop work and wait for your instructions on next step.
     
    Last edited: May 4, 2013
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what this cnosd.exe program is? It is something you have installed. But what is it? It loads at startup. It shows as the below in your uninstall programs list and this does seem suspicious.
    If you do not know what it is then uninstall it.


    You may want to uninstall Chrome, reboot and delete the below folder.

    C:\Users\Inocencio Alejandro\AppData\Local\Google\Chrome

    The if you wish to still use Chrome, redownload and reinstall. You can get it here >> Google Chrome 26.0.1410.64 Stable
     
  35. ChemMD

    ChemMD Private E-2

    Thanks for the next step. I googled cnosd.exe and found that it generally is reported safe. One polish site seems a bit concerned about it. I uninstalled it.

    I also uninstalled Google Chrome without a hitch, but had problem downloading it from your site. Something about it not being on my server. I downloaded it from the Google site (the stable one, of course) using Mozilla Firefox, and that crashed during the download and the install. I am also remembering now that in the recent past (?few weeks) Internet Explorer has had problems accessing a few websites. Do you think I should uninstall and re-install IE and MF? I use Google Chrome preferentially, and use MF as backup. Your sticky notes mention that IE is now safer than the rest (as of 2010?).

    No other immediate problems on my notebook so far, apart from the browser problems noted.
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes some of our download page links are down right now.

    I suggest that you use IE to download it from Google. If Firefox is a problem then perhaps it needs to be reinstalled too. Actually IE is more secure than both Google and Firefox. We have more problem here with Google and Firefox than with IE. Also IE is easier to clean when infected. Google and Firefox frequently need to be reinstalled when they get infected.
     
  37. ChemMD

    ChemMD Private E-2

    Thanks for this. Based on your response, I decided to uninstall Mozilla Firefox because I rarely use it recently. I have re-installed Google Chrome successfully before my previous post.

    I am having problems with IE. When I open it, a pop-up window asks me if I want to allow Google toolbar for Internet Explorer. After I click to disallow it, I get multiple copies of the same pop-up window. It seems IE is infected but Microsoft Security Essentials and Malwarebytes' Anti-Malware finds no malicious software. How do I clean IE? I cannot uninstall and re-install because IE is NOT on Control Panel/Programs and Features.
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Google Toolbar is not an infection. You installed it when you installed the below software
    There is nothing to clean. Google Toolbar is not an infection. You installed it. If you do not want it then uninstall it.
     
  39. ChemMD

    ChemMD Private E-2

    Thanks. I have finished all the final steps in this thread, including How to Protect yourself from Malware! May I toggle System Restore now?
     
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Yes since you now have network connectivity, you should do this to remove old and possibly infected restore points and establish a new clean starting point. The only reason we did not do this before was to try and use System Restore as a last chance option to fix the network problems. This is why our procedures only toggle SR after problems have been fixed. Too many sites have you do this first and antivirus companies do too. Then you are out of luck when something goes wrong. Our motto is "even an infected restore may be better than none at all when a problem arises". ;)
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds