No Internet Television Fanatic Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by amateur09, Jan 5, 2013.

  1. amateur09

    amateur09 Private E-2

    My daughter has Toshiba Satellite windows 7 64 bit that can't connect to the internet. Ran malware bytes a few nights ago which identified 283 issues many noting television fanatic and film fanatic. Quarantined items and ran CCleaner and was able to partly use internet for google and facebook but not all features. Next day again unable to connect to internet.

    Following instructions from Chaslang, I uninstalled Spybot because I couldn't access it to disable, did Defogger, disabled UAC, temporarily disabled AVG antivirus, and got logs from the 5 recommended programs. Since computer has no internet, logs were transferred via flashdrive. I'm not sure that I ran the MG tools correctly or maybe I'm attaching wrong item. Also, when running Hitman, I didn't get a red warning box as shown in instructions and hit next but it then said it would start cleaning and I closed the program as the guidance said not to clean anything--hope I didn't do something wrong with that.

    Apoligies in advance if I'm posting or attaching something wrong.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your MGtools log is very incomplete. You have to make sure that you allow it to finish running. Also protection software should be disabled. Please try the below.


    Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
  3. amateur09

    amateur09 Private E-2

    This run of MGtools seemed better as it took longer and seemed to look like the examples. Hopefully it is now complete. Sorry about that.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm reviewing your logs now,but a question pops up on the first thing I see. The last two times I have seen this in user's logs, the user knew nothing about it and it was a source of problems. Did you install the below?

    C:\\Program Files (x86)\\Sendori\\SendoriTray.exe
     
  5. amateur09

    amateur09 Private E-2

    From Control Panel, Programs, is shows Sendori as being installed 12.13.12. My guess is that it was not intentionally installed. It's my daughter's computer and I can't reach her until a week from now to confirm. If it is a source of problems, I would think she'd want it removed.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's remove it. She can always reinstall it later if she really needs it. But follow the instructions below in the order given.

    Based on your logs, the internet is working just fine. So let's cleanup what I see and go from there.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: CrossriderApp0003134 - {11111111-1111-1111-1111-110011311134} - C:\Program Files (x86)\Get It Free\Get It Free.dll (file missing)
    O2 - BHO: StartNow Toolbar Helper - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
    O2 - BHO: Incredibar.com Helper Object - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files (x86)\Incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll (file missing)
    O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
    O2 - BHO: DealPly - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files (x86)\DealPly\DealPlyIE.dll (file missing)
    O3 - Toolbar: StartNow Toolbar - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
    O3 - Toolbar: Incredibar Toolbar - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files (x86)\Incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll (file missing)
    O4 - HKLM\..\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe"

    After clicking Fix, exit HJT.

    Uninstall the below software:
    Get It Free
    IB Updater 2.0.0.542
    IB Updater Service
    Java(TM) 6 Update 14
    Sendori
    StartNow Toolbar
    Yontoo 1.10.03
    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
    
    :Services
    Sendori
    Partner Service
    Service Sendori
    sndappv2
    IB Updater
     
    :Files
    C:\Program Files (x86)\Sendori
    C:\Program Files\IB Updater
    C:\Program Files (x86)\Incredibar.com
    C:\ProgramData\Partner
    C:\Program Files (x86)\DealPly
    C:\Program Files (x86)\Get It Free
    C:\Program Files (x86)\StartNow Toolbar
    
    :Reg
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
    "Sendori Tray"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}]
    @="TelevisionFanatic"
    "DisplayName"="My Web Search"
    "URL"="[URL]http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm0328Jus&ptb=2831408A-C6AF-42EF-88AD-82CB65B2A0AD&psa=&ind=2011042619&ptnrS=XPxdm0328Jus&si=1150220&st=sb&n=77de133b&searchfor={searchTerms[/URL]}"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}]
    "URL"="[URL]http://mystart.incredibar.com/mb185/?search={searchTerms}&loc=IB_DS&a=6PQNXAmYrD&i=26[/URL]"
    "DisplayName"=""
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  7. amateur09

    amateur09 Private E-2

    Ran the latest instructions provided and attached the 2 logs. Things seem to be working fine as far as I can tell. Thanks so much!!
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  9. amateur09

    amateur09 Private E-2

    I will be buying Malwarebytes today. Did the other clean up procedures recommended and also added spywareblaster as recommended.

    The only possible problem I had was I reinstalled Spybot (as I had to uninstall because it was interfering with getting the recommended logs). I have SD Helper enabled, but not teatimer. When I did a scan, it came up with 6 issues: Coupon bar (11 entries), iCrossrider (4 entries), DealPly (6 entries), Incredibar (3 entries), Yontou.paperage (3 entries), and facebook.messenger (1). I selected fix problems and it cleared 24 initially and then the remainder on restart. Did another scan this morning and it said no threats. Would this be something to be concerned with or anything else I need to do?

    Thanks again for your work and advice.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No not really. We had already remove the main/active components of these. What Spybot found was just some left overs. There are always dozens of registry keys used by this kind of junkware and some residual items can be left behind. What really matters are the items that our scan find and remove.

    Plus the Coupon stuff is something you installed and is not really a problem. You had installed >> Coupon Printer for Windows
    It is considered legit. See http://www.bleepingcomputer.com/uninstall/2798/Coupon-Printer-for-Windows.html

    You could just have uninstalled it. After running Spybot that choice may no longer be possible as it likely delete things you would need in order to uninstall it.
     
  11. amateur09

    amateur09 Private E-2

    Glad to hear the spybot scan was just removing leftover junk. To me the computer is running fine now--it's actually working, loads quicker than before, running cooler temperature wise, and according to task manager CPU usage is down (single number % at idle compared to higher before). The final test will be when my daughter gets home this weekend, but I don't forsee any problems.

    For protection, we'll continue to run AVG 2013 and spybot with SD helper. Additionally I added Spyware Blaster and activated Malwarebytes for real time protection.

    If this sounds like a good plan, I don't think there's any need for you to respond. I really do appreciate what you (and others like you) do here for us. There's no way I could have gotten this cleaned by myself.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Glad to hear it is working better. Hope your daughter is happy. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds