Help with cleaning machine please

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by vkinetic, May 3, 2015.

  1. vkinetic

    vkinetic Private First Class

    This machine has persistent requests to install unwanted programs. All attempts at cleaning have not been successful - the requests keep coming back. I have performed all the tasks for cleaning internet hijacks and redirects and the malware removal tasks as well. Here are the logs:

    MGTools logs to follow
     

    Attached Files:

  2. vkinetic

    vkinetic Private First Class

    MGTools logs attached
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    SuperManCoupon <<< Uninstall this.

    Did you let Malware Bytes fix that item? Please do so if not...

    Please re run Hitman and have it remove all that it finds....


    Re run RogueKiller and attach log.
    Re run Hitman Pro and attach log.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
  4. vkinetic

    vkinetic Private First Class

    Thankyou Kestrel13.

    SuperManCoupon has been uninstalled.

    Yes, I had Malwarebytes fix what it found.

    Hitman Pro has been run again and I have had it fix everything it found. A log of what it found and fixed is attached.

    I have re-run RogurKiller and Hitman Pro again and their log files are attached.

    I'm sorry but I misread your instructions and re-run MGTools. I have attached it's logs anyway. I hope this hasn't disturbed things too much. I then ran the GetLogs bat file as instructed - its logs called MGLogs2.zip are attached.

    The system appears to be functioning normally so far.

    Thank you for your help and patience.
     

    Attached Files:

  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path|VT.Goobzo (fs)] (X64) HKEY_USERS\S-1-5-21-507064951-483728726-446480579-1001\Software\Microsoft\Windows\CurrentVersion\Run | DeskBar : C:\Users\Toshiba\AppData\Local\DeskBar\DeskBar.exe [7]
    • [Suspicious.Path|VT.Goobzo (fs)] (X86) HKEY_USERS\S-1-5-21-507064951-483728726-446480579-1001\Software\Microsoft\Windows\CurrentVersion\Run | DeskBar : C:\Users\Toshiba\AppData\Local\DeskBar\DeskBar.exe [7]

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for these two entries on "Scheduled Tasks" tab

    • [Suspicious.Path] ILMHVSL.job -- C:\Users\Toshiba\AppData\Roaming\ILMHVSL.exe
    • [Suspicious.Path] \\ILMHVSL -- C:\Users\Toshiba\AppData\Roaming\ILMHVSL.exe

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  6. vkinetic

    vkinetic Private First Class

    Thanks Kastrel13.

    Please see the requested logs attached.

    For your info please note that RogueKiller does not automatically save a report to the desktop - I had to manually generate one by clicking the Report button in the RogueKiller window.

    Also RogueKiller reported an error in trying to delete the second item in the Registry tab - reporting 'Error2'. Hopefully this is evident in the RogueKiller log

    thanks
     

    Attached Files:

  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just run RogueKiller once more and attach log please. :)
     
  8. vkinetic

    vkinetic Private First Class

    Thanks. RogueKiller has been re-run and the log is attached. Note that I have not removed the two suspicious path entries found in the registry yet.
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :Files
    
    C:\ProgramData\173e481b00004693
    C:\ProgramData\3497892630437262639
    C:\ProgramData\7ea666b800002404
    C:\ProgramData\aldcdindmnoddmalpcdfafgbmcdomkoo
    C:\ProgramData\aYiDLJ
    C:\ProgramData\{c6731331-fe04-aa4b-c673-31331fe04cc7}
    C:\ProgramData\{f77f2160-55b0-4319-f77f-f216055b8581}
    C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
  10. vkinetic

    vkinetic Private First Class

    Thankyou.

    See logs attached
     

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    For some reason OTM couldn't handle those items I wanted deleted. Can you do it manually?

    C:\ProgramData\173e481b00004693
    C:\ProgramData\3497892630437262639
    C:\ProgramData\7ea666b800002404
    C:\ProgramData\aldcdindmnoddmalpcdfafgbmcdomkoo
    C:\ProgramData\aYiDLJ
    C:\ProgramData\{c6731331-fe04-aa4b-c673-31331fe04cc7}
    C:\ProgramData\{f77f2160-55b0-4319-f77f-f216055b8581}
    C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7

    Then reboot and do this...

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  12. vkinetic

    vkinetic Private First Class

    OK, thanks. All those listed files have been successfully deleted (however they are still in the recycle bin).

    New MGTools logs attached
     

    Attached Files:

  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK the logs look great. How're things running?
     
  14. vkinetic

    vkinetic Private First Class

    Things are running OK but there are still boxes opening offering free scans etc or pages opening (in Chrome). Also if you try to scroll down a page in Chrome a second tab immediately opens going to some unrequested page. Also there are 'Ads by ShoppingDealFactory' popping up from within Chrome.

    Internet Explorer however appears to be functioning completely normally with no issues whatsoever so far.

    There is a dialog box popping up with no internet browser open - the box is headed Dialog and in the box says 'Can not get install path'. This can only be dismissed by clicking OK.

    Sorry but I will be away for 48 hours so there will be a delay in my responses during that time.

    Thanks so much for your help
     
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, when you get back, I want you to uninstall all of the below using Revo Uninstaller.

    • Google Chrome
    • Google Earth
    • Google Update Helper

    Reboot the machine, reinstall Google Chrome and see how it behaves and let me know. (You can reinstall other Google components afterwards)
     
  16. vkinetic

    vkinetic Private First Class

    Thankyou.

    Google Chrome and Google Earth have been uninstalled using Revo Uninstaller in Pro mode. Revo could not find Google Update helper. The system has been rebooted. So far all seems fine and Internet Explorer appears to be functioning normally. Note that Revo reports the following unknown programs still installed on the machine:

    bugwatcher
    OEM Application Profile
    Support PL 1.1
    TampaEdit

    Thanks
     
  17. vkinetic

    vkinetic Private First Class

    Sorry, Chrome was re-installed after a reboot and appears to be functioning normally now

    thanks
     
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent. Ready for final steps? :)
     
  19. vkinetic

    vkinetic Private First Class

    Ready when you are Kestrel13. Thanks so much for all your help :)
     
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome. :)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
  21. vkinetic

    vkinetic Private First Class

    OK thanks - just about to follow your final instructions. But just want to clarify - should anything be done about the four unknown programs listed as still installed?:

    bugwatcher
    OEM Application Profile
    Support PL 1.1
    TampaEdit
     
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    They are not unknown programs to you though are they? Did you install them knowingly?
     
  23. vkinetic

    vkinetic Private First Class

    Certainly bugwatcher and TampaEdit are unknown. OEM Application Profile and Support PL 1.1 could be Toshiba bloatware. But attempts to remove these in the normal way in the past have failed anyway.
     
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Topic for the software forum. ;)
     
  25. vkinetic

    vkinetic Private First Class

    All the clean up procedures have been followed.

    We are still getting a dialog box occasionally appearing on the desktop. The box is entitled 'Dialog' and says 'Can not get install path'. The box can be dismissed by either clicking the cross top left hand corner or clicking 'OK'. A whole lot of windows updates were automatically installed after a reboot which is a good sign. Security has now been installed (Bullguard). Upon reboot there was a Bullguard firewall message saying that Google Updater was automatically allowed to connect (when previously instructed by you we could not find any evidence of Google Update helper being installed and there is no listing for Google Updater in the installed programs).
    But sadly we are still getting another large dialog box open entitled 'Dialog' asking to start a free trial of Click Free backup with the option to close or learn more. Clickfree backup is not listed in the list of installed programs. However there is an icon in the notification area which I have discovered is associated with ClickFree Backup. It has an option to uninstall but when I attempt to uninstall it a dialog box the same as the one that is occasionally appearing appears saying that it 'Can not get install path'.
    This appears to be the only issue remaining. Is there any way we can get rid of this annoyance?

    Thanks
     
  26. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can post about that in the software forum as it's nothing to do with malware. :) Best of luck.
     
  27. vkinetic

    vkinetic Private First Class

    OK, thanks very much for all your help Krestel13!:)
     
  28. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome. Safe surfing! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds