Infected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by clixto, Oct 20, 2014.

  1. clixto

    clixto Specialist

    I’m trying to repair my mother inlaws desktop. Script errors galore, so many pop up, etc.. internet is unusable because of this.
    Hitman, rogue killer, & tdsskiller found stuff but did not open a log.
    Still getting lots of pop ups etc..
    thanks in advance

    below is info on the laptop:
    Win 7 64 bit
    DELL INSPIRON N17110
    ACPIX64 BASED PC
    INTEL R PENTIUM R CPU B960 @2.2 GHZ
    4gb ram
     

    Attached Files:

    Last edited: Oct 20, 2014
  2. clixto

    clixto Specialist

    sorry rk did get a report
     
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, clixto

    The TDSSKiller log is found here: C:\TDSSKiller.3.0.0.40_20.10.2014_08.23.36_log.txt

    Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts. *Re-enable them before physically reconnecting to your ISP.

    Rerun RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3497939736-4010866069-3823650550-1000\Software\Microsoft\Windows\CurrentVersion\Run | Yahoo! Search : C:\Users\DANTHRELL\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.12.4\dsrlte.exe -> Found
    • [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | upfst_ca_117.exe : C:\Users\DANTHRELL\AppData\Local\fst_ca_117\upfst_ca_117.exe -runonce -> Found
    • [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3497939736-4010866069-3823650550-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.certified-toolbar.com...4C8E7EF08ED9152B32FBEDB25BD43124&st=chrome&q= -> Found
    • [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3497939736-4010866069-3823650550-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.certified-toolbar.com...4C8E7EF08ED9152B32FBEDB25BD43124&st=chrome&q= -> Found

    Then select the Tasks tab and select everything found, then click the Delete button again.
    Then immediately reboot your PC.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Using "Programs & Features" uninstall: (If you do not find it or it will not uninstall, just keep going.)
    Java 7 Update 51
    FastClean PRO
    Fraveen 1.4
    Groovorio
    HomeTab 7.0
    Media_Play_AIR+_1.1
    V-9.1HDV19.09
    Snap.Do

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Services
    rqpbhevlkc64
    :Files
    C:\ProgramData\BetTeRPRiceCChec
    C:\ProgramData\boost_interprocess
    C:\ProgramData\Deal4real
    C:\ProgramData\ExtrAShoopperr
    C:\ProgramData\Performance Optimizer
    C:\ProgramData\PriceDowNlioader
    C:\ProgramData\ShoppingDealFactory
    C:\ProgramData\soaverona
    C:\ProgramData\TicaTaCoupon
    C:\Program Files (x86)\BetTeRPRiceCChec
    C:\Program Files (x86)\Deal4real
    C:\Program Files (x86)\ExtrAShoopperr
    C:\Program Files (x86)\Fraveen 1.4
    C:\Program Files (x86)\HomeTab
    C:\Program Files (x86)\Media_Play_AIR+_1.1
    C:\Program Files (x86)\PriceDowNlioader
    C:\Program Files (x86)\sizlsearch
    C:\Program Files (x86)\soaverona
    C:\Program Files (x86)\TicaTaCoupon
    C:\Program Files (x86)\vGrabber-software
    C:\Users\DANTHRELL\AppData\Local\fst_ca_117\upfst_ca_117.exe
    C:\Users\DANTHRELL\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.12.4\dsrlte.exe
    C:\Program Files\004\rqpbhevlkc64.exe
    C:\Program Files\004
    C:\Program Files (x86)\3EB1E6A5-AB21-42D0-AD98-AF8EE30368B5\SupraSavingsService64.exe
    C:\Program Files (x86)\3EB1E6A5-AB21-42D0-AD98-AF8EE30368B5
    C:\Windows\TEMP\*.*
    C:\Users\DANTHRELL\AppData\Local\Temp\*.*
    :Reg
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611171176}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92aa6038-35c9-4666-893f-84716dec281c}]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "fastclean"=-
    "Yahoo! Search"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "SunJavaUpdateSched"=-
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
    "SunJavaUpdateSched"=-
    [HKEY_USERS\S-1-5-21-3497939736-4010866069-3823650550-1000\Software\Microsoft\Windows\CurrentVersion\run]
    "Yahoo! Search"=-
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Make sure to shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Next download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
    • Now click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • Look over the log especially under Files/Folders for any program you want to save.
    • If there's a program you may want to save, just uncheck it from AdwCleaner.
    • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
    • If you're ready to clean it all up.....click the Clean button.
    • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
    • Attach that logfile to your next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which are created when running the tool.

    Now install the current version of Sun Java from:
    Make sure that when you install the new version of Java that you uncheck the Install the Ask Toolbar junkware checkbox. You do not want to add the stuff junk that most people consider malware to your PC. Also just in case Oracle changes the Java installation in the future to possible install other junk, uncheck all but just installing Java.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select "Run As Administrator").

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    • AdwCleaner[R#].txt
    • C:\TDSSKiller.3.0.0.40_20.10.2014_08.23.36_log.txt
    Make sure you tell me how things are working now!
     
  4. clixto

    clixto Specialist

    quick question..what do you mean by this? "*Re-enable them before physically reconnecting to your ISP".
    I actually uninstall avira to avoid conflict. Should I reinstall before doing this?
     
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    My meaning was that one should be aware of disabling their protection software while still physically connected to the internet through their modem/router is a security risk, especially if they have DSL or Broadband access.
    You should have av & firewall in place and working before coming back online.
     
  6. clixto

    clixto Specialist

    Didn’t see this one in RogueKiller:
    [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | upfst_ca_117.exe : C:\Users\DANTHRELL\AppData\Local\fst_ca_117\upfst_ca_117.exe -runonce -> Found
    When I ran Run C:\MGtools\analyse.exe I didn’t see this one:
    O4 - HKCU\..\Run: [Yahoo! Search] C:\Users\DANTHRELL\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.12.4\dsrlte.exe


    Still getting these when I open the firefox browser:
    About blank pop ups
    Ad pop ups

    didn't go to the next step (OTM) yet
     
  7. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please complete all of the steps and attach the requested logs.
     
  8. clixto

    clixto Specialist

    nothing came up in the otm window after opening it
     
  9. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    I do not understand what you are saying.

    Re-read my instructions that tell you to "Copy & Paste" everything in the Code box into OTM's left-side pane that has the heading "Paste instructions..etc", then click the MoveIt tab.
     
  10. clixto

    clixto Specialist

    opps my bad. I continued on with other steps. should I repeat again starting from otm?
     
  11. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    rolleyes Yes - this time following my steps exactly!

    Attach all of the logs that I requested in your next reply.
     
  12. clixto

    clixto Specialist

    attached are the files. Again sorry..got very distracted with these pop ups and lagging laptop
     

    Attached Files:

  13. clixto

    clixto Specialist

    After completing everything I am still getting "about.blank" pop up windows
     
  14. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Using "Programs & Features" uninstall the following: (If you do not find it or it will not uninstall, just keep going.)
    • Clickfree Easy Image
    • Media Downloader version 1.5
    Using Windows Explorer - navigate to and delete these:
    • C:\Users\DANTHRELL\Desktop\FLVMPlayer.exe <--- file
    • C:\ProgramData\Clickfree <---folder
    • C:\Program Files (x86)\EZ Software Updater <---folder
    • C:\Windows\Installer <---folder

    Please run another scan with HitmanPro and then attach the latest HitmanPro log.
     
  15. clixto

    clixto Specialist

    Just want to clarify the second part: go to c drive under windows explorer to find these files and delete?
     
  16. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

  17. clixto

    clixto Specialist

    I was able to delete the files and folders except click free. Says it is being used by another program
     
  18. clixto

    clixto Specialist

    attached is the hitman file
     

    Attached Files:

  19. clixto

    clixto Specialist

    Hi doc did you get a chance to look at my reply?
     
  20. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Sorry - was on the road traveling yesterday.

    *Had you tried to uninstall Clickfree Easy Image and re-booting before you tried to delete C:\ProgramData\Clickfree? Have you tried deleting in Safe Mode?

    We need OTM by Old Timer htat you saved to your Desktop again.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Files
    C:\Users\David\AppData\Local\{18E0BE49-7829-4A77-90F5-0427D1F396F4}
    C:\Users\DANTHRELL\AppData\Local\CompTmp.exe
    C:\Users\DANTHRELL\Downloads\jvlsetup.exe
    C:\Windows\System32\Tasks\Browser Updater\Browser Updater 
    C:\Windows\System32\Tasks\Browser Updater
    C:\Windows\System32\Tasks\ProtectedSearch\Protected Search
    C:\Windows\System32\Tasks\ProtectedSearch
    C:\Windows\System32\Tasks\SystemSockets\SystemSockets
    C:\Windows\System32\Tasks\SystemSockets
    :Reg
    [-HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6EC77D09-02CB-4E1F-E3C4-FB141B2610B3}]
    [-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Activeris AntiMalware_is1]
    [-HKLM\SOFTWARE\Classes\.3gp\newp.backup]
    [-HKLM\SOFTWARE\Classes\.AAC\newp.backup]
    [-HKLM\SOFTWARE\Classes\.aif\newp.backup]
    [-HKLM\SOFTWARE\Classes\.avi\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mov\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mp3\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mp4\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mpeg\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mpg\newp.backup]
    [-HKLM\SOFTWARE\Classes\.wav\newp.backup]
    [-HKLM\SOFTWARE\Classes\.wma\newp.backup]
    [-HKLM\SOFTWARE\Classes\.wmv\newp.backup]
    [-HKLM\SOFTWARE\Classes\Applications\NewPlayer.exe]
    [-HKLM\SOFTWARE\Classes\Record\{05660A04-00F1-3A04-AB3B-BC1074B84D67}]
    [-HKLM\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6}]
    [-HKLM\SOFTWARE\Classes\Record\{37AC0F3B-749F-3B22-811B-5A019EED2E85}]
    [-HKLM\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E}]
    [-HKLM\SOFTWARE\Classes\Record\{4392A6CC-7940-310E-8E16-799A8D93A438}]
    [-HKLM\SOFTWARE\Classes\Record\{66DF7821-ED6D-3534-893C-0E89E74B0F91}]
    [-HKLM\SOFTWARE\Classes\Record\{755CAFCC-F016-3B06-8F22-945EAA3AD10D}]
    [-HKLM\SOFTWARE\Classes\Record\{76552F88-640C-314D-82B6-0D8A740907F7}]
    [-HKLM\SOFTWARE\Classes\Record\{903F9872-E87F-3B74-83B0-DBE10073B29D}]
    [-HKLM\SOFTWARE\Classes\Record\{915BB7D5-082E-3B91-B1E0-45B5FDE01F24}]
    [-HKLM\SOFTWARE\Classes\Record\{9558EEB4-CDA6-3778-B53B-98076F0A1E90}]
    [-HKLM\SOFTWARE\Classes\Record\{B25AA9BA-FD52-3E5E-BFE3-9B106779DA6E}]
    [-HKLM\SOFTWARE\Classes\Record\{C852CF9F-37DC-35AC-926A-7E6CFFF7C501}]
    [-HKLM\SOFTWARE\Classes\Record\{C9777796-4378-3C90-B52D-7238FFFC2A5C}]
    [-HKLM\SOFTWARE\Classes\Record\{DB1BC8B2-FDBF-30E7-BE1C-AFF9160059E6}]
    [-HKLM\SOFTWARE\Classes\Record\{F3D5729C-7DEB-3850-A026-D0E323ECFEF5}]
    [-HKLM\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}]
    [-HKLM\SOFTWARE\Classes\Record\{FEC70973-CB8B-351C-8047-CAE1274CE249}]
    [-HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
    [-HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\Advanced System Protector.bak]
    [-HKLM\SOFTWARE\Classes\Unknown\shell\opendlg\command\Advanced System Protector.bak]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}]
    [-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Browser Updater]
    [-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProtectedSearch]
    [-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemSockets]
    [-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110511841188}]
    [-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110511841188}]
    [-HKLM\SOFTWARE\Wow6432Node\Taronja]
    [-HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
    [-HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
    [-HKU\.DEFAULT\Software\AskPartnerNetwork]
    [-HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
    [-HKU\S-1-5-18\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
    [-HKU\S-1-5-18\Software\AskPartnerNetwork]
    [-HKU\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
    [-HKU\S-1-5-19\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
    [-HKU\S-1-5-20\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
    [-HKU\S-1-5-20\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}]
    [-HKU\S-1-5-21-3497939736-4010866069-3823650550-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SnapDo.exe]
    :commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Let's see if anything new shows up - Please run another HitmanPro scan and attach the logs, please.

    How is the machine running?
     
  21. clixto

    clixto Specialist

    no worries...I will try and get back
     
  22. clixto

    clixto Specialist

    did you want me to run otm again or just give the original one?
     
  23. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please run all my fix instructions in my latest post #20, to remove what was found in your previous attachment. Then the new log to confirm that nothing new has afterwards arrived.

    dr.m
     
  24. clixto

    clixto Specialist

    ok doing hitman scan now and will post shortly. was able to delete click free through safe mode
     
  25. clixto

    clixto Specialist

    Attached is otm and hitman
     

    Attached Files:

  26. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Running OTM.exe again...
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Files
    C:\Windows\System32\Tasks\Browser Updater\Browser Updater
    C:\Windows\System32\Tasks\Browser Updater
    C:\Windows\System32\Tasks\ProtectedSearch\Protected Search
    C:\Windows\System32\Tasks\ProtectedSearch
    C:\Windows\System32\Tasks\SystemSockets\SystemSockets 
    C:\Windows\System32\Tasks\SystemSockets
    :Reg
    [HKLM\SOFTWARE\Classes\.3gp\newp.backup]
    [-HKLM\SOFTWARE\Classes\.AAC\newp.backup]
    [-HKLM\SOFTWARE\Classes\.aif\newp.backup]
    [-HKLM\SOFTWARE\Classes\.avi\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mov\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mp3\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mp4\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mpeg\newp.backup]
    [-HKLM\SOFTWARE\Classes\.mpg\newp.backup]
    [-HKLM\SOFTWARE\Classes\.wav\newp.backup]
    [-HKLM\SOFTWARE\Classes\.wma\newp.backup]
    [-HKLM\SOFTWARE\Classes\.wmv\newp.backup]
    [-HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220522842288}]
    [-HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550555845588}]
    [-HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660566846688}]
    [-HKLM\SOFTWARE\Classes\newp.3gp]
    [-HKLM\SOFTWARE\Classes\newp.3gp\shell]
    [-HKLM\SOFTWARE\Classes\newp.aac]
    [-HKLM\SOFTWARE\Classes\newp.aif]
    [-HKLM\SOFTWARE\Classes\newp.avi]
    [-HKLM\SOFTWARE\Classes\newp.divx]
    [-HKLM\SOFTWARE\Classes\newp.flv]
    [-HKLM\SOFTWARE\Classes\newp.mkv]
    [-HKLM\SOFTWARE\Classes\newp.mov]
    [-HKLM\SOFTWARE\Classes\newp.mp3]
    [-HKLM\SOFTWARE\Classes\newp.mp4]
    [-HKLM\SOFTWARE\Classes\newp.mpeg]
    [-HKLM\SOFTWARE\Classes\newp.mpg]
    [-HKLM\SOFTWARE\Classes\newp.wav]
    [-HKLM\SOFTWARE\Classes\newp.wma]
    [-HKLM\SOFTWARE\Classes\newp.wmv]
    [-HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\Advanced System Protector.bak]
    [-HKLM\SOFTWARE\Classes\Unknown\shell\opendlg\command\Advanced System Protector.bak]
    [-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Browser Updater]
    [-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProtectedSearch]
    [-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemSockets]
    [-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110511841188}]
    [-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110511841188}]
    [-HKU\S-1-5-21-3497939736-4010866069-3823650550-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SnapDo.exe]
    :commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Make sure that you now close ALL open browser windows and anything other open prgrams!
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Let's try this ==> Reset Firefox to Defaults
    Re-boot your pc!

    Any improvements?
     
  27. clixto

    clixto Specialist

    otm attached
     

    Attached Files:

  28. clixto

    clixto Specialist

    I reset firefox everything seems ok..no pop ups
     
  29. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    ;)

    Awesome! Anything else (malware related) wrong?
     
  30. clixto

    clixto Specialist

    I don't notice anything right now. U Rock!
    Thank you Very Much!
     
  31. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're very welcome, clixto.

    That was some stubborn crapware that you ran into. ;)
    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, Win 7/8 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If you are running Win 7/8, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work through the below link:
    Safe surfing! [​IMG]
     
  32. clixto

    clixto Specialist

    Excellent..Again thanks so much. Looks like I have some teaching to do for the mom-inlaw..lol
     
  33. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    "Best of Luck" in that regard! :-D
     
  34. clixto

    clixto Specialist

    how do I remove the adware cleaner program? I don't see in the control panel. Also there are faded desktop.ini files on the desktop..should I delete?
     
  35. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Those programs that we had you download but do not appear in Programs & Features did not require installation, so those type appls can simply be deleted.

    The faded desktop.ini files are normally in "hidden files & folders" and will be reset to that when you run all of the cleanup steps.
     
  36. clixto

    clixto Specialist

    the desktop.ini files are still there. Also when I read the system back up procedures..it says to wait a few days before wiping it. Should I wait?
     
  37. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please see this link for a tutorial on setting files & folders to hidden - (remember to re-boot)
    Hide-hidden-files-windows-7

    Yes - wait just a couple of days and check out the machine. (Even an infected restore point can be useful until you know can be rid of it.)
     
  38. clixto

    clixto Specialist

    cool thanks
     
  39. clixto

    clixto Specialist

    started a avira scan and its finding adware
     
  40. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Where? Pathway to the detection?
     
  41. clixto

    clixto Specialist

    I'll post a log when its done?
     
  42. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please attach the avira scan log in the .txt file extension when completed.

    Also run this online scanner and attach the ESETScan.txt log, please.

    Using ESET's Online Scanner

    NOTE: Be aware that the ESET scan can take 2 hours, depending on the number of files it has to scan.
     
  43. clixto

    clixto Specialist

    I think this stuff might have been in the adware program. I forgot to uninstall/delete that one.
     

    Attached Files:

  44. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    No problems in the log. Your anti-virus is detecting malware that is already quarantined by AdwCleaner.

    dr.m
     
  45. clixto

    clixto Specialist

    should I still run the other scan. I just got a pop up script error with avira
     
  46. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Yes, you may as well run the ESET online scan.
     
  47. clixto

    clixto Specialist

    here she be
     

    Attached Files:

  48. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    More Conduit junkware, huh? That cleaning should take care of that pest.
     
  49. clixto

    clixto Specialist

    This laptop is/was such a mess lol. Not sure how long this has been like this. Do I need to do anything else?
     
  50. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    No, not here. We've finished the cleaning.

    Be Safe!
    dr.m
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds