malware and pup problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ellen46240, Aug 7, 2015.

  1. ellen46240

    ellen46240 Private First Class

    Hi..
    I'm running a laptop with XP SP3, trying to make it into a functional computer, to be removed from the web, and used for stand-alone applications if possible. The problems began some time back, and I put it away about 10 months ago. I just got a Vista based machine, but yet to determine how to make it work.

    Task manager on the laptop shows Svchost.exe PID 1340 consuming 99% processor time, my desktop has a photo (3x across) that I didn't place, and several programs don't run due to EBlib.dll not found. (WVPWUTIL and CeeKey.exe as examples). I first tried my MalWareBytes premium to scan, which located 70 some PUPs and Win32.downloader.gen as malware. It will run in safe mode with internet services. And working thru the preliminarily scans now.

    RogueKIller produced a .json file log, not text. Do I need to re-run the scan, as I already closed RK, to produce a text version, with "export txt"? And do those need to be generated for each tab category of problems? Thought I would post this before proceeding. Many thanks!
    Jerry
     
    ellen46240, Aug 7, 2015
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that is correct. They have changed the program again. Not sure why developers keep doing things like this. TXT should be the default.

    No. Just export the log once.
     
    chaslang, Aug 7, 2015
    #2
  3. ellen46240

    ellen46240 Private First Class

    After running the scans, I rebooted normally. I had svchost.exe PID 1448 running 99%.. I waited, then terminated the process via Task Manager. I tried reloading my Avast which died earlier, but their friendly tech support located Conduit. (and likely many other problems). Looks like this XP may not be worth saving, but would like to use it off line if possible. Windows error reporting showed entries back in September of last year, when this was last used. So the question of what I was doing then is unanswerable. Sorry.

    The many PUPs are likely due to a lack of antivirus when "whatever" caused it to fail, and all of this effort on line has been without any active protection at this point. I will try to get a different computer online to proceed, and keep this one off-line hopefully.

    I re-ran RK since the first report didn't contain much, but I will load both RK logs.

    Let me know what you find. And.. certainly appreciate the assistance!!
     

    Attached Files:

    ellen46240, Aug 8, 2015
    #3
  4. ellen46240

    ellen46240 Private First Class

    And here is the Mgtools log..

    Let me know if you need any other reports. Many thanks!!

    Jerry
     

    Attached Files:

    ellen46240, Aug 8, 2015
    #4
  5. ellen46240

    ellen46240 Private First Class

    I forgot to mention...
    At startup 2 programs do not run because eblib.dll cannot be found. SVPWUTIL.exe and CeeKey.exe. I believe both of these are Toshiba files from a utility program(s) (and possibly passwords too!). But I think I can get those files downloaded from Toshiba once other problems are found and eliminated. A previous run with Spybot S&D showed 6 Conduit entries, 70 ReimagePlus, and 9 for SpeedMaxPc, and the more serious Win32.Downloader.gen. Those were run when I first tried to get this back on line.. well before any of the posted scans. Some were shown to be deleted, but I have no idea for certain.

    Now I'll go read up on Vista. Hopefully it will be less likely to have problems.
    Thanks a million! Jerry
     
    ellen46240, Aug 8, 2015
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below program. If you do not find it or it will not uninstall, just keep going.
    Uniblue ProcessScanner

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Services
YahooAUService
ReimageRealTimeProtector
gupdate
gupdatem

:Files
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Local Settings\Temp\fd5C1NgMnmEEB0N8jMj\133\setup.exe
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Local Settings\Temp\fd5C1NgMnmEEB0N8jMj
C:\Documents and Settings\All Users\Start Menu\Programs\FileParade bundle uninstaller
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Local Settings\Application Data\Conduit
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Local Settings\Temp\VOT Module.ini.log
C:\Program Files\Conduit
C:\rei
C:\Program Files\Reimage
C:\WINDOWS\Reimage.ini
C:\Program Files\Common Files\Spigot
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore1d0d163751e31e8.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3085037330-1606269901-3390669196-1006Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3085037330-1606269901-3390669196-1006UA.job
C:\WINDOWS\Tasks\Registry Repair.job
C:\WINDOWS\Tasks\ReimageUpdater.job
C:\WINDOWS\Tasks\Reimage Reminder.job
C:\Program Files\Uniblue
C:\ComboFix
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Local Settings\Temp\*.*

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProcessScanner_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\REI_AxControl.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YMERemote.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{ef494946-9425-4a5c-b373-74ccd38e8c48}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\REI_AxControl.ReiEngine]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B722ED8B-0B38-408E-BB89-260C73BCF3D4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9143e921-7c9a-4d27-ac43-eaccc78cc55a}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileParade bundle uninstaller]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Yahoo\Companion]
[-HKEY_LOCAL_MACHINE\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CA82E1A5]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ca82e1a5]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_CA82E1A5]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ca82e1a5]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ReimageRealTimeProtector]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CA82E1A5]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ca82e1a5]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ReimageRealTimeProtector]
[-HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\Software\Conduit]
[-HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\Software\IM]
[-HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}]
[-HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\Software\Yahoo\Companion]
[-HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\Software\Yahoo\YFriendsBar]
[-HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ReimageRealTimeProtector]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ReimageRealTimeProtector]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=-
[-HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=-
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings
"ProxyEnable"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ArcadeTwist93"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SearchSettings"=-
[HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\Software\Microsoft\Windows\CurrentVersion\runonce]
"ArcadeTwist93"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 10, 2015
    #6
  7. ellen46240

    ellen46240 Private First Class

    Sorry for the delay to get back to this.. I had a a medical issue. Thanks for your patience.

    No problem removing Uniblue. OTM ran ok as prescribed, and produced a log, and I rebooted. I tried running JRT, with all of this being done in Safe mode. It could not create a Restore point, I proceeded anyway. (Error 0x8007000A). After clicking OK again, it would begin to scan but only show Checking Startup.. and then it would terminate. I did try to boot normally however Svchost.exe was running (as before) with 99% CPU usage. I killed the process, and re-running JRT did then establish a Restore point, but ran no further than before. Back into Safe mode, I realized SASCORE.exe was running, so I removed SuperantiSpyware, and tried again. Same results.. (after a hour of waiting, with no indications it was running, in task bar, or TaskManager, and no log file. I tried reloading JRT direct from Thisisu, since I didn't have the target computer on-line to check for updates.

    Get Logs ran to completion.

    When I rebooted, Windows opened New Hardware Wizard, for "Unknown", which I cancelled. I still had to kill svchost.exe PID 1332, but could then clear the bogus desktop photo. I searched for that file, but it was not found. MSinfo showed ATI Radeon xpress having a problem. I checked MSconfig, just to be certain I didn't have it set custom, and found WAOL in Win.ini for AOL 9.0. (I was always under the impression AOL was a virus system!?!)

    Considering the svchost 1332 still hogs the processor.. and that JRT would not run properly.. I'd assume there are still problems. But please advise what to run next. I did not put the laptop on line, with most of the AV disabled. Now working from another computer. MANY... MANY thanks for all this help! Jerry
     

    Attached Files:

    ellen46240, Aug 24, 2015
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I have a strong feeling that your problems are not due to malware. It may be that you are just suffering from a very old, very slow PC, with insufficient memory. And also you may not have all of the updates for Window XP SP3 installed which could explain an svchost.exe process hogging up memory and CPU time while trying to perform updates on an unsupported Windows XP operating system.


    But would not run, let's cleanup a little more junk manually and also we will try uninstalling a few more ( not malware ) programs to see if it helps with the PC getting bogged down in normal boot mode. We really need to see logs from normal boot mode to better understand what is going on.

    With respected to the new hardware being found, you probably need to allow this to run as some driver may have been messed up and needs to be reinstalled.

    AOL is not a virus. It is America Online. If you don't use AOL then uninstall anything related to it if you see anything installed.


    Also uninstall the below now ( this is an attempt to see if it helps with your problems. It is not because they are malware but they can cause performance issues. )
    • avast! Internet Security
    • Protected Folder
    • Smart Defrag 2
    • Spybot - Search & Destroy
    • Yahoo! Search Protection
    After uninstalling the above, reboot your PC and then continue with the below.



    Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Desktop\ComboFix.exe
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Desktop\GooredFix.exe
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Desktop\GooredFix.txt
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Desktop\RootRepeal.rar
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Desktop\Spybot - Search & Destroy.lnk
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Desktop\SUPERAntiSpyware.exe
C:\Documents and Settings\chuck smith.TOSHIBA-USER.000\Desktop\SUPERAntiSpyware Free Edition.lnk
C:\Documents and Settings\All Users\Desktop\avast! Internet Security.lnk
C:\Documents and Settings\All Users\Desktop\Smart Defrag 2.lnk          
C:\Documents and Settings\All Users\Start Menu\Programs\avast! Internet Security
C:\Documents and Settings\All Users\Start Menu\Programs\Protected Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Smart Defrag 2
C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Start Menu\Programs\SweetPacks
C:\Qoobox
C:\WINDOWS\system32\config\systemprofile\Application Data\AOL
C:\WINDOWS\system32\config\systemprofile\Application Data\IObit
C:\WINDOWS\system32\config\systemprofile\Application Data\SACor
C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
C:\WINDOWS\system32\drivers\etc\hosts.*.backup
C:\Program Files\IObit
C:\WINDOWS\Tasks\avast! Emergency Update.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\SmartDefrag.job
C:\WINDOWS\Tasks\SmartDefrag_Startup.job
C:\WINDOWS\Tasks\SmartDefragUpdate.job
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"avast"=-
"Adobe ARM"=-
[HKEY_USERS\S-1-5-21-3085037330-1606269901-3390669196-1006\Software\Microsoft\Windows\CurrentVersion\run]
"Google Update"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the AdwCleaner log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 24, 2015
    #8
  9. ellen46240

    ellen46240 Private First Class

    In attempting to shut down, and use safe mode to remove the programs, it says it's updating 2 of 4 and do not shut down. It's not on line. Ignore?? And as for being slow, this problem began a year ago, and it wasn't used since. But at that time, with the same programs loaded, it ran reasonably well.

    Force power off, to get to safe mode to remove programs?
     
    ellen46240, Aug 24, 2015
    #9
  10. ellen46240

    ellen46240 Private First Class

    Not sure how this works, but it's now on 3rd update of 4. (Or it timed out?) So whatever was removed or corrected, is now allowing it to install updates, which were apparently loaded before?? I'll wait till it stops, before rebooting into Safe mode. No problem removing the bloated software.
     
    ellen46240, Aug 24, 2015
    #10
  11. ellen46240

    ellen46240 Private First Class

    I didn't look too closely for AOL (yet). As mentioned in quick posts, it did report installing 4 updates when I attempted to shut down, and boot back into Safe mode to do the program deletes. Letting the Installer run, it's apparently looking for software it did not find, so I'll have to figure out "which needs what". Doing uninstall, Avast showed 750MB(?) in "Add/Delete Control panel". Chrome which I don't use, shows 301MB. Are those real numbers? MS Office OneNote (which I don't even know what that is, shows 4,095 MB! I did delete all programs you listed. And each program ran fine this time. For some reason, I had to reboot (this mule computer, because it would not read the thumb drive, when transferring logs back here to the forum). Life should be easier.

    The laptop is running much faster. Still not on line w/o any AV, but Malwarebytes Premium popped open quickly.. and appears to be running normally, waiting to be updated. (I did not run a scan with it yet). I did not see "Reports" on Adwcleaner, but it did produce a log, which I assume you will review, and let me know what else to approve for deletion.

    I don't use Apple application support, nor Apple Mobile Device support, or Apple software update. Ashampoo Burning studio has never been used. Can I delete Bonjour?, Chromium (285MB)?, Everest Home Edition V2.20? I use FireFox, can I delete Google Chrome? (I do use gmail, calendar, task lists, and Google Docs). Never used Google Earth plug-in (83.7 MB), but do use Google Voice.. and don't use iTunes currently (180MB). I'm not sure if Java or Adobe products still work, or if there are work-arounds.. Java 7 shows (120MB). Microsoft Net Framework?? 400 MB total? No idea if needed or not. Is MS Office OneNote required for Word and Excel to run? I do use those 2 programs often. The rest look small in comparison. What all can I delete??

    Any suggestions for compact AV? If I can recover some files safely now, and use this off line, it should be only rarely connected to the internet. Again thanks for all the help here. Jerry
     

    Attached Files:

    ellen46240, Aug 25, 2015
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes a lot of space can be used up by those installed programs and all there various updates and databases.

    You can uninstall ( not delete ) any programs that you do not use. Only you can decide what you use and do not use.

    You cannot uninstall Microsoft .NET because you need it for many applications on your PC. You really need to keep Java and Adobe Reader too or you will have issues on many websites that require them.


    It's a wash. They all impact performance especially on old slow PCs like this which also have very little memory.


    I see your last log from MGtools was from normal boot mode. Does this mean that you are now able to run okay in normal boot mode?
     
    chaslang, Aug 25, 2015
    #12
  13. ellen46240

    ellen46240 Private First Class

    Chas,
    It did boot normally.. w/o any svchost runaway processes. I put it on-line to allow MalwareBytes to update, with only windows Firewall turned on. I didn't want to load up AV yet, till I cleaned off more of the drive. I show almost 40 processes loaded, but it's idling fine. In removing some docs and other files, I tried opening a pdf, and the viewer crashed. I did not look at the time to see the file size.. and may need to add some decent file viewer, and update Java and Adobe. As I recall one or the other did not have XP system applicable files any longer. Or I may have to figure out which older versions still work. Previously, it would not print, (appeared to no longer be in the local network), but a quick edit of excel and word files found both printed fine. Wow! Back from ICU!

    Do I still need to run AdwCleaner? I didn't take action to delete any of the files it had listed. I assume it's ok to do those uninstalls now? I can clean off a lot of junk! NICE WORK!!! Thanks again!
     
    ellen46240, Aug 25, 2015
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay this is not a topic for the Malware Forum. You can discuss all non-malware issues in the Software Forum.


    It is not really that important to cleanup these items since your PC is running fine now. But if you do want to cleanup these leftovers then only some of the items should be removed. You will manually have to select and unselect to only cleanup items shown below:

    Uninstall!!!! Not delete. They do not mean the same thing.

    Again these are choices left up to you based on what only you know you use/need. This is also a non-malware topic for the Software Forum if you need to discuss it further.
     
    chaslang, Aug 26, 2015
    #14
  15. ellen46240

    ellen46240 Private First Class

    Chas,
    I only mentioned the viewer crash, because I didn't know the cause.. and you had asked how everything was running. And I didn't want to be thread-hopping until everything malware related was addressed.

    I will edit the list you provided, do that cleaning, and uninstall some programs.. and leave a follow up note, either way if all goes well, or not. I sincerely appreciate all the help, and plan to make a donation to the cause this evening. THANKS!! Jerry
     
    ellen46240, Aug 26, 2015
    #15
  16. ellen46240

    ellen46240 Private First Class

    I did the cleaning and uninstalled several programs, reloaded Avast, and realized MS updates were running at the same time.. VERY SLOW. But 20 updates loaded. The last one, KB890830 (Malware removal tool), apparently caused Avast and Malwarebytes to crash.. so I'm not sure if it got loaded, or if it is something truly needed and/or to verify it. Once all the updates were done, it's running fairly quickly..

    but first thing this morning AV says it located C:\System Volume Information\_restore(8A2FF72E-925C-4693-95A8-CFACA1846F05)\RP445\A0105508.exe as (Win32:Evo-gen Suspect Process c:\Windows\System32\Svchost.exe. And it's been quarantined. The SvcHost issue was certainly running all the time.. so I suspect this was a valid malware problem.. or seemed to be. Do I need to do anything more with that file, and/or generate a new/different restore point?

    This morning, ran Excel and Word, printed, and I'm sending from the target.. so it looks GREAT! Do the post exorcism follow up now?? Many Thanks! Jerry
     
    ellen46240, Aug 27, 2015
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    This is just System Restore and the below final instructions will address this where I have you disable/enable system restore.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 29, 2015
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds