Alureon.J - please help - tool logs attached

Really?? Just do this (although we do not usually allow it-)

Upload the logs to mediafire.com or something and give me the link.

 

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.


Uninstall this junk:

• My Web Search (Webfetti)

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Web Browsers tab and locate these detections:

• [PUP][IE:Addon] System : DVDVideoSoftTB Toolbar [{872b5b88-9db5-4310-bdd0-ac189557e5f5}] -> FOUND
• [PUP][FIREFX:Addon] ujadx9sg.default : DVDVideoSoft YouTube MP3 and Video Download [{ACAA314B-EEBA-48e4-AD47-84E31C44796C}] -> FOUND
• [PUP][FIREFX:Addon] ujadx9sg.default : SweetPacks Toolbar for Firefox [{EEE6C361-6118-11DC-9C72-001320C79847}] -> FOUND
• [PUP][CHROME:Addon] Default : OfferMosquito [gbmdkmlcnbapgegninelmjbfibaghdmk] -> FOUND

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.





Re run TDSSKiller and have it remove this what you previously skipped:

Re run Hitman and have it remove all that it finds.



Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
• O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
• O2 - BHO: ShopAtHome - {66516A07-F617-488A-90CF-4E690CFB3C5F} - C:\Users\Mom and\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll (file missing)
• O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
• O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
• O3 - Toolbar: ShopAtHome.com Toolbar - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Users\Mom and\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll (file missing)

After clicking Fix exit HJT.




Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:Files
C:\Users\Mom and\Local Settings\Application Data\24n5l270a1daj5c70b7ii
C:\Users\Mom and\Local Settings\Application Data\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv
C:\Users\Mom and\AppData\Roaming\Microsoft\Windows\Templates\24n5l270a1daj5c70b7ii
C:\Users\Mom and\AppData\Roaming\Microsoft\Windows\Templates\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{09a5b2e9-9203-46f5-8a4f-b417a23b8a8a}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{33414CD4-57A8-461E-8B4B-1F95A57A6B58}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{D0B81197-C875-4BF3-B266-F93A46F165A9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Rescan with TDSSKiller (just a scan) and attach log.

MyWebSearch appears to have uninstalled. Do you still get an error about it upon start up?

Let me know if your antivirus complains anymore about anything.

 

I don't sleep much :-D



Do you have your Vista boot CD? If not:

If you don't have your Vista disc, you can create a Recovery Environment disc for your system here:

32bit Vista Recovery Environment

64bit Vista Recovery Environment

You can use ImageBurn to create the disc.

Once the disc is created, boot into the bios and change the boot order to CD/DVD as first boot device. Put in the disc and reboot. Once in the RE, type this:

Bootrec.exe /fixmbr

Note the space after the exe.

Exit out when done and boot back into normal mode. Re-run TDSSKiller and attach the new log.

 

I apologise. Very old link.


Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it.



Click the "Scan" button to start scan



On completion of the scan click [FixMBR].
Note: You may have to [Scan] first in order for this button to appear.

----------------

Now re run TDSSKiller and attach log.

 

How are things running now?

 

This might help increase performance upon start up. (Not topic for the malware forum really)

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe" -delete
• O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
• O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
• O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
• O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
• O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
• O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
• O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
• O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
• O4 - HKLM\..\Run: [Philips Device Listener] "C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe"
• O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
• O4 - HKLM\..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
• O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
• O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
• O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
• O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
• O4 - HKLM\..\Run: [EKStatusMonitor] C:\PROGRAM FILES\KODAK\AIO\STATUSMONITOR\EKStatusMonitor.EXE
• O4 - HKLM\..\Run: [EasyHomeDecorating_73 Browser Plugin Loader] C:\PROGRA~1\EASYHO~2\bar\1.bin\73brmon.exe
• O4 - HKLM\..\Run: [EasyHomeDecorating Search Scope Monitor] "C:\PROGRA~1\EASYHO~2\bar\1.bin\73srchmn.exe" /m=2 /w /h
• O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -HPW
• O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
• O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
• O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
• O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
• O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
• O4 - HKCU\..\Run: [HP Deskjet 3510 series (NET)] "C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN26812JZQ05R7:NW" -scfn "HP Deskjet 3510 series (NET)" -AutoStart 1
• O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
• O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
• O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
• O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
• O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
• O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
• O4 - HKCU\..\Run: [Google Update] "C:\Users\Jerry\AppData\Local\Google\Update\GoogleUpdate.exe" /c
• O4 - Startup: Dropbox.lnk = AppData\Roaming\Dropbox\bin\Dropbox.exe
• O4 - Startup: Socialbox.lnk = C:\Program Files\Socialbox\Socialbox.exe
• O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
• O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
• O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
• O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
• O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe

After clicking Fix exit HJT.

Any better?

 

Glad to hear it's running so well.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome L2R!

 

There shouldn't be any issues using the combo of MBAM Pro and MSSE.

Just re run Malware Bytes again and if it still finda anything have it remove it and then attach the log.

 

Malware Bytes log shows junk it found but you did not have it remove it by the looks! Remove what it finds....rescan AGAIN, and attach that log too please.

 

OK, that log is clear, if the next log is too then it looks like all is well.

 

Does this folder exist? C:\Users\Jerry\AppData\LocalLow\EasyHomeDecorating_73

If JRT and Malware Bytes no longer detect these problems then I think it would be safe to say they are not on the machine or lingering.

 

Most welcome. Safe surfing.