Slow computer, lots of programs I didn't install

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gilmap, Nov 15, 2014.

  1. gilmap

    gilmap Private E-2

    Hi

    Thanks for providing this help. I've followed your directions and attached the log files here.

    A bit of background: my computer has been running slow for a while. I was able to fix the browser redirects in IE but not in Google Chrome. I noticed a lot of programs that I did not install on here too, a lot of toolbars especially. I would really appreciate the help you can give.

    GilmaP
     

    Attached Files:

    gilmap, Nov 15, 2014
    #1
  2. gilmap

    gilmap Private E-2

    Forgot to add MG Logs:
     

    Attached Files:

    gilmap, Nov 15, 2014
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks!

    Did you have Malwarebytes fix the malware that it detected? If not - do so now.

    Re-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

    Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts. *Re-enable them before physically reconnecting to your ISP.

    Using "Programs & Features" uninstall: (If you do not find it or it will not uninstall, just keep going.)
    Java(TM) SE Runtime Environment 6

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    • O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Files
C:\Users\Paulina\AppData\Roaming\Babylon
C:\Users\Paulina\AppData\Roaming\Optimizer Pro
C:\Users\Paulina\Documents\Optimizer Pro
C:\Program Files\Optimizer Pro
C:\Program Files\Optimizer Pro\bg_new3.bmp 
C:\Program Files\Optimizer Pro\cancel.bmp 
C:\Program Files\Optimizer Pro\CookiesException.txt 
C:\Program Files\Optimizer Pro\file_id.diz 
C:\Program Files\Optimizer Pro\HomePage.url 
C:\Program Files\Optimizer Pro\OptimizerPro.chm 
C:\Program Files\Optimizer Pro\scan.gif 
C:\Program Files\Optimizer Pro\StartupList.txt 
C:\Program Files\Optimizer Pro\unins000.dat 
C:\Program Files\Optimizer Pro\unins000.msg 
C:\Program Files\Optimizer Pro
C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.lza 
C:\Program Files\Reimage\Reimage Repair\Reimage Repair.url 
C:\Program Files\Reimage\Reimage Repair\version.rei
C:\Program Files\Reimage\Reimage Repair
C:\Program Files\Reimage
C:\Program Files\BabylonToolbar  
C:\ProgramData\Babylon
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\bl 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.settings 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\00 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\01 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\02 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\03 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\10 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\11 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\12 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\13 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\20 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\21 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\22
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings\23 
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\traking_settings
C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}
C:\ProgramData\BrowserProtect
C:\ProgramData\Reimage Protector\cfl.rei 
C:\ProgramData\Reimage Protector\Results
C:\ProgramData\Reimage Protector\Results\ProtectorPackage.log 
C:\ProgramData\Reimage Protector\Results\ProtectorUpdater.log 
C:\ProgramData\Reimage Protector
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll 
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll 
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat 
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe 
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico 
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
C:\rei\AV\avupdate.conf 
C:\rei\AV\avupdate_msg.avr 
C:\rei\AV\HBEDV.KEY 
C:\rei\AV
C:\rei\cfl.rei 
C:\rei\reimage.qsr 
C:\rei\Results\EXE1.6.6.6\RUN20141005_1338
C:\rei\Results\EXE1.6.6.6\RUN20141005_1338\Compress.res 
C:\rei\Results\EXE1.6.6.6\RUN20141005_1338\debug-repair-2.log 
C:\rei\Results\EXE1.6.6.6\RUN20141005_1338\debug-repair.log 
C:\rei\Results\EXE1.6.6.6\RUN20141005_1338\Info_EnvironmentVars.res
C:\rei\Results\EXE1.6.6.6\RUN20141005_1338\Info_Installed.rec 
C:\rei\Results\EXE1.6.6.6\RUN20141005_1338\out.log 
C:\rei
C:\Users\Paulina\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\Paulina\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
:reg
[-HKLM\SOFTWARE\Babylon]
[-HKLM\SOFTWARE\Classes\AppID\escort.DLL]
[-HKLM\SOFTWARE\Classes\AppID\escortApp.DLL]
[-HKLM\SOFTWARE\Classes\AppID\escortEng.DLL]
[-HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL]
[-HKLM\SOFTWARE\Classes\AppID\esrv.EXE]
[-HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}]
[-HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}]
[-HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKLM\SOFTWARE\Classes\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}]
[-HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKLM\SOFTWARE\Tarma Installer\Components\{8D8654CD-7FBC-4C7E-84E9-371BFA8DB04E}]
[-HKLM\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}]
[-HKLM\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}]
[-HKLM\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}]
[-HKLM\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKU\S-1-5-21-1018242737-1022361278-828646999-1000\Software\IM]
[-HKU\S-1-5-21-1018242737-1022361278-828646999-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\shoppingate.info]
[-HKU\S-1-5-21-1018242737-1022361278-828646999-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com]
[-HKU\S-1-5-21-1018242737-1022361278-828646999-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKU\S-1-5-21-1018242737-1022361278-828646999-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectNewTabPageShow]
[-HKU\S-1-5-21-1018242737-1022361278-828646999-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectShowTabsWelcome]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Make sure to shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Next download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
    • Now click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • Look over the log especially under Files/Folders for any program you want to save.
    • If there's a program you may want to save, just uncheck it from AdwCleaner.
    • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
    • If you're ready to clean it all up.....click the Clean button.
    • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
    • Attach that logfile to your next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which are created when running the tool.

    Now install the current version of Sun Java from:
    Make sure that when you install the new version of Java that you uncheck the Install the Ask Toolbar junkware checkbox. You do not want to add the stuff junk that most people consider malware to your PC. Also just in case Oracle changes the Java installation in the future to possible install other junk, uncheck all but just installing Java.

    Re-run RogueKiller - do a scan ONLY and attach the new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select "Run As Administrator").

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    • AdwCleaner[S#].txt
    • updated Malwarebytes log.txt
    • updated RogueKiller log
    Make sure you tell me how things are working now!
     
    Last edited: Nov 16, 2014
    dr.moriarty, Nov 16, 2014
    #3
  4. gilmap

    gilmap Private E-2

    Thanks for your help!


    I couldn't upload MGlogs.zip: it said I had already attached the file in this thread.

    nomalicious.txt is the Malwarebytes log. Oddly, when I scanned it this time, MWB found no malicious objects so I did not have it fix anything.

    Things are still slow, but not that slow.

    I'm still having problems in that when I click on Google Chrome trovit.com appears instead.

    Also: I was not able to choose where I downloaded programs today as I was using Google Chrome and I didn't see the option. (IE was a bit slow) Would this have an effect?
     

    Attached Files:

    Last edited: Nov 22, 2014
    gilmap, Nov 22, 2014
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    That indicates that you didn't run the C:\MGtools\GetLogs.bat as instructed which would have produced an updated log.

    Using AdwCleaner.exe previously downloaded:
    • Double click on AdwCleaner.exe to run the tool. (Vista, Win7/8 users should right-click and "Run As Administrator")
    • Click on the Scan button.
    • After the scan has finished..
    • Click on the Clean button.
    • Press OK when asked to close all programs and follow the onscreen prompts.
    • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
    • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
    • Attach this log to your next reply.

    Let's reset Chrome to the Default settings:
    Reset Chrome to Defaults

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Set the "Output" to "Standard Output".
    • Change the setting of "Drivers" and "Services" to "Use Safelist"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
netsvcs
msconfig
drives
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)

    *Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select "Run As Administrator").

    Please attach the below logs:
    • AdwCleaner[S#].txt
    • OTL.Txt
    • updated C:\MGlogs.zip

    How is the machine running now?
     
    dr.moriarty, Nov 22, 2014
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds