Wife's computer has Adware. God knows what else.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by XJadynX, Mar 26, 2015.

  1. XJadynX

    XJadynX Private E-2

    I'm getting a little over the moon with my wife not listening to me about the websites she visits and what she downloads. I have noticed adware on her computer. All my attempts at removing it have only resulted in some results. I followed your Cleaning advice and well I can't honestly say I know if there is more or not. So it would be great if you could look these over and tell me what else if anything is still there. also can you PLEASE recommend a good program to help prevent this. I'm tired of this happening.
     

    Attached Files:

    XJadynX, Mar 26, 2015
    #1
  2. XJadynX

    XJadynX Private E-2

    I know this is a bump of sort I'm sorry, I just realized I missed the Hitman log. I tried to edit it but I didn't see a way to.. please forgive me. I also had to break the hitman log into 2 files as it would not let me upload it as one
     

    Attached Files:

    XJadynX, Mar 26, 2015
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry : 15 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cozaghost ("C:\ProgramData\micron\1.1.0.29\cozaghost.exe" /ts2=1) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cozwdhost ("C:\ProgramData\micron\1.1.0.29\cozwdhost.exe" -scm) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\jymysohu (C:\Users\Joy\AppData\Roaming\42323039-1425547376-3332-3631-3537FFFFFFFF\nspB1DC.tmp) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sibehylo (C:\Users\Joy\AppData\Roaming\42323039-1425547376-3332-3631-3537FFFFFFFF\jnse1FCF.tmp) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cozaghost ("C:\ProgramData\micron\1.1.0.29\cozaghost.exe" /ts2=1) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cozwdhost ("C:\ProgramData\micron\1.1.0.29\cozwdhost.exe" -scm) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jymysohu (C:\Users\Joy\AppData\Roaming\42323039-1425547376-3332-3631-3537FFFFFFFF\nspB1DC.tmp) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sibehylo (C:\Users\Joy\AppData\Roaming\42323039-1425547376-3332-3631-3537FFFFFFFF\jnse1FCF.tmp) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\cozaghost ("C:\ProgramData\micron\1.1.0.29\cozaghost.exe" /ts2=1) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\cozwdhost ("C:\ProgramData\micron\1.1.0.29\cozwdhost.exe" -scm) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\jymysohu (C:\Users\Joy\AppData\Roaming\42323039-1425547376-3332-3631-3537FFFFFFFF\nspB1DC.tmp) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kezotoby (C:\Users\Joy\AppData\Local\42323039-1426759190-3332-3631-3537FFFFFFFF\insbECF0.tmp) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sibehylo (C:\Users\Joy\AppData\Roaming[/code\42323039-1425547376-3332-3631-3537FFFFFFFF\jnse1FCF.tmp) -> Found
    Now fix these items:
    Code:
    ¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] Tempo Runner coz64host.job -- C:\ProgramData\micron\1.1.0.29\cozaghost.exe (/dgad="C:\ProgramData\micron\1.1.0.29\coz64host.exe") -> Found
[Suspicious.Path] \\Tempo Runner coz64host -- C:\ProgramData\micron\1.1.0.29\cozaghost.exe (/dgad="C:\ProgramData\micron\1.1.0.29\coz64host.exe") -> Found
    Download OTM by Old Timer and save it to your Desktop.


    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.


    Code:
    :Processes
explorer.exe

:files
C:\Program Files\Common Files\System\SysMenu.dll
C:\Users\Joy\AppData\Local\42323039-1425547420-3332-3631-3537FFFFFFFF\onst8FF3.tmp
C:\Users\Joy\AppData\Local\42323039-1425547420-3332-3631-3537FFFFFFFF\rnst8FF2.exe
C:\Users\Joy\AppData\Local\42323039-1425547420-3332-3631-3537FFFFFFFF\snst8FF1.tmp
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40BG6CTG\FinalInstaller_dotnet4[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40BG6CTG\FinalInstaller_dotnet4[2].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40BG6CTG\OrbiterInstaller[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40BG6CTG\runasu[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40BG6CTG\VOsrv[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\check[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\FinalInstaller_dotnet4[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\kmdSetup[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\setup[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\setup_362[2].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\SFSetup[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\sp-downloader_121[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\Update_Notifier[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACQLUQZM\VOsrv[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\check[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\check[2].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\FinalInstaller_dotnet4[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\FinalInstaller_dotnet4[2].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\FinalInstaller_dotnet4[3].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\IGSrv[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\JOSrv[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\runasu[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZ583ICV\SU_Srv[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KDPSBJPE\FinalInstaller_dotnet4[1].exe
C:\Users\Joy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KDPSBJPE\smt[1].exe
C:\Users\Joy\AppData\Local\nsw56DB.tmp
C:\Users\Joy\AppData\Local\Temp\dufgmr4c.exe
C:\Users\Joy\AppData\Local\Temp\Gre37E1.exe
C:\Users\Joy\AppData\Local\Temp\Gre71F4.exe
C:\Users\Joy\AppData\Local\Temp\GreB598.exe
C:\Users\Joy\AppData\Local\Temp\GreE56E.exe
C:\Users\Joy\AppData\Local\Temp\GreF891.exe
C:\Users\Joy\AppData\Local\Temp\GreFB3F.exe
C:\Users\Joy\AppData\Local\Temp\jue9A1.exe
C:\Users\Joy\AppData\Local\Temp\jueAC.exe
C:\Users\Joy\AppData\Local\Temp\jueF98A.exe
C:\Users\Joy\AppData\Local\Temp\nsb7BB0.tmp
C:\Users\Joy\AppData\Local\Temp\nsb8437.tmp
C:\Users\Joy\AppData\Local\Temp\nsb887B.tmp
C:\Users\Joy\AppData\Local\Temp\nsb89B3.tmp
C:\Users\Joy\AppData\Local\Temp\nsb8E93.tmp
C:\Users\Joy\AppData\Local\Temp\nsbB7EC.tmp
C:\Users\Joy\AppData\Local\Temp\nscD34A.tmp
C:\Users\Joy\AppData\Local\Temp\nsg8456.tmp
C:\Users\Joy\AppData\Local\Temp\nsg85DC.tmp
C:\Users\Joy\AppData\Local\Temp\nsg9038.tmp
C:\Users\Joy\AppData\Local\Temp\*.*
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Liveistream
C:\Users\Joy\AppData\Roaming\42323039-1425547376-3332-3631-3537FFFFFFFF\rnsy1C51.exe

:reg
[-HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\] 
[-HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\] 
[-HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\] 
[-[HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\] 
[-HLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\] 
[-HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\] 
[-HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\] 
[-HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\cltmng_RASAPI32\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\cltmng_RASMANCS\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\CltMngSvc_RASAPI32\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\CltMngSvc_RASMANCS\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\cltmngui_RASAPI32\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\cltmngui_RASMANCS\]
:Commands
[purity]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Reboot and rescan with both RogueKiller and Hitman and attach the new logs.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Attach the new C:\MGLogs.zip.
     
    Last edited: Mar 26, 2015
    TimW, Mar 26, 2015
    #3
  4. XJadynX

    XJadynX Private E-2

    Alright I think I got everything done right and logs uploaded.
     

    Attached Files:

    XJadynX, Mar 26, 2015
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.


    Code:
    :Processes
explorer.exe

:files
C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\3ybdvyh3.default-1423802435643\prefs.js
C:\Users\Joy\AppData\Local\Google\Chrome\User Data\Default\Web Data

:reg
[-HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\]
[-HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\] 
[-HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\] 
[-HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\] 
[-HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\] 
[-HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\]
[-HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\]
[-HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\]
[-HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SysMenuExt\] 
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ShopperPro.exe\] 
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\YTDownloader.exe\] 
[-HKLM\SOFTWARE\SearchModule\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\ShopperPro.exe\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\YTDownloader.exe\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\] 
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage\ 
[-HKLM\SOFTWARE\Wow6432Node\SearchModule\]
[-HKLM\SOFTWARE\Wow6432Node\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\]
[-HKLM\SYSTEM\ControlSet001\Control\Class\{0014298C-A9BA-440D-AAA8-AD12C7010EE5}\] 
[-HKLM\SYSTEM\ControlSet001\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}\] 
[-HKLM\SYSTEM\ControlSet001\Control\Class\{181A06EA-B82C-47DE-B851-E20FD0E1CC7D}\] 
[-HKLM\SYSTEM\ControlSet001\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}\]
[-HKLM\SYSTEM\ControlSet002\Control\Class\{0014298C-A9BA-440D-AAA8-AD12C7010EE5}\] 
[-HKLM\SYSTEM\ControlSet002\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}\] 
[-HKLM\SYSTEM\ControlSet002\Control\Class\{181A06EA-B82C-47DE-B851-E20FD0E1CC7D}\]
[-HKLM\SYSTEM\ControlSet002\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}\] 
[-HKLM\SYSTEM\CurrentControlSet\Control\Class\{0014298C-A9BA-440D-AAA8-AD12C7010EE5}\] 
[-HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}\] 
[-HKLM\SYSTEM\CurrentControlSet\Control\Class\{181A06EA-B82C-47DE-B851-E20FD0E1CC7D}\] 
[-HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}\] 
[-HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\] 
[-HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\] 
[-HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\] 
[-HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\] 
[-HKU\S-1-5-21-4150721913-2760155626-3035373295-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\StormWatchApp.exe] 
[-HKU\S-1-5-21-4150721913-2760155626-3035373295-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Reboot and rerun Hitman and attach the new log.

    Tell me how things are running now.
     
    TimW, Mar 27, 2015
    #5
  6. XJadynX

    XJadynX Private E-2

    Results from OTM :


    Files moved on Reboot...
    C:\Users\Joy\AppData\Local\Temp\Samsung Link\Logs\log4jDB.log moved successfully.
    C:\Users\Joy\AppData\Local\Temp\Samsung Link\Logs\log4jMeta.log moved successfully.
    File move failed. C:\Users\Joy\AppData\Local\Temp\NVIDIA Corporation\NV_Cache\6d1026b4fa6d4c49d77d65f8805a9c0_fce8395c8fd8a86b_6229ccd76215aea1_0_0.bin scheduled to be moved on reboot.
    File move failed. C:\Users\Joy\AppData\Local\Temp\NVIDIA Corporation\NV_Cache\6d1026b4fa6d4c49d77d65f8805a9c0_fce8395c8fd8a86b_6229ccd76215aea1_0_0.toc scheduled to be moved on reboot.
    File C:\Users\Joy\AppData\Local\Temp\hsperfdata_Joy\2824 not found!
    C:\Users\Joy\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\temp\Low\SkypeClickToCall\Logs\AutoUpdateSvc.log scheduled to be moved on reboot.
    File C:\Windows\temp\hsperfdata_JOY-PC$\1864 not found!
    C:\Windows\temp\sqlite-3.7.151-amd64-sqlitejdbc.dll moved successfully.

    Registry entries deleted on Reboot...
    Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{0014298C-A9BA-440D-AAA8-AD12C7010EE5}\ scheduled to be deleted on reboot.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0014298C-A9BA-440D-AAA8-AD12C7010EE5}\ not found.

    It seems to be running smoother... it also seems to be booting faster. I cant' tell 100% sure because I'm not use to this computer but I'll get my wife to tell me how it is when she is done with her nurse. One thing is for sure is all of the adware appears to be gone.
     

    Attached Files:

    XJadynX, Mar 27, 2015
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's do one last thing:

    Please download AdwCleaner by Xplode and save to your Desktop.

    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
     
    TimW, Mar 28, 2015
    #7
  8. XJadynX

    XJadynX Private E-2

    Sorry it took me a while to get back to you. I ended up getting a bit busy the past couple of days. Here is the log from adware you asked for.
     

    Attached Files:

    XJadynX, Mar 29, 2015
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go ahead and fix everything it found. Tell me what issues remain.
     
    TimW, Mar 29, 2015
    #9
  10. XJadynX

    XJadynX Private E-2

    As far as I can tell, nothing.. other then the fact that my wife's motherboard has stopped recognizing her video card.. however I'm just about 100% positive that is an old problem with the motherboard it self needing to be replaced at this point... as if I don;t have enough problems.... thank you for the help.
     
    XJadynX, Mar 29, 2015
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Mar 29, 2015
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds