Malware

Welcome to Major Geeks!

You installed it. Giga Pocket 5.5

What do you still have installed from Symantec?? I see software from it that is possibly conflicting with McAfee.

Uninstall the below:
Coupon Printer for Windows
Search Defender for Spyware Begone 2.0
Spyware Begone V8.40
Viewpoint Media Player


Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKCU\..\Run: [wJOQsu7voxMv0f] C:\Documents and Settings\All Users\Application Data\wJOQsu7voxMv0f.exe
O4 - HKCU\..\Run: [PbtXZly2WLjlcO] C:\Documents and Settings\All Users\Application Data\PbtXZly2WLjlcO.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

After clicking Fix, exit HJT.


Rerun RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

Then select the Files tab and if the below exist, click the Delete button again.

Then immediately reboot your PC.

After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items? See if anything is still missing!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
Then attach the below logs:

• the new RogueKiller log
• C:\MGlogs.zip

 

Those are not Firefox. Those are McAfee services. You need to shut McAfee down again and follow the same steps.

This time make sure to also get the new MGlogs.zip file too.

 

You did not answer my question about the Symantec stuff. If you do not have anything from Symantec installed that you know of, there is cleanup to do because I see things and they could cause issues.

Your McAfee problems may be signs that the program is broken. It may need to be uninstalled followed by a reboot and then reinstall.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\


After clicking Fix, exit HJT.



Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Services
SNDSrvc
 
:Files
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Program Files\Common Files\Symantec Shared
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\-PbtXZly2WLjlcO
C:\Documents and Settings\All Users\Application Data\-PbtXZly2WLjlcOr
C:\Documents and Settings\All Users\Application Data\PbtXZly2WLjlcO
C:\Documents and Settings\All Users\Application Data\PbtXZly2WLjlcO.exe
C:\Documents and Settings\All Users\Application Data\wJOQsu7voxMv0f
C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Begone Full Version
C:\Documents and Settings\Charlie Loftin\Local Settings\Application Data\Adobe\ABBYY\seooyfkk.dll
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6AF90EF6-F7F9-466C-99F4-1774826FBB40}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ABBYY]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe ARM]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATT-SST_McciTrayApp]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PC-Checkup]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
:Commands
[purity]
[EmptyTemp]
[start explorer]
 

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay then I will modify my previous fix to add things for removing the left overs. Please re-read those steps as they will have changed.

Works fine for me. Please try again or try IE instead of Firefox. If still having a problem, try the below link.

OTM

 

Try a couple things:

• Disable McAfee and see what happens
• If you are trying to save it to your Desktop when this error occurs, try another folder. Like My Documents.
• Also when downloading it, try renaming it from OTM.exe to OTM.tmp and see what happens.

 

You forgot to attach the logs.

 

This is probably not due to malware. You a whole bunch of startup processes whose registry entries appear to be broken. They appeared this way even in your first logs. One of them is even for McAfee but there are several more. I can attempt to guess at what they should be set to and maybe we will get lucky and repair them. If not, the software would have to be reinstalled to repair. Make sure McAfee is disable before doing the below.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Try deleting the below and see if this helps. The first is a file and the second a folder.

C:\Documents and Settings\Charlie Loftin\Desktop\File_Recovery.lnk
C:\Documents and Settings\Charlie Loftin\Start Menu\Programs\File Recovery


Did the above instructions help?

 

You're welcome. Correct! This remaining issue not a malware problem. Let's see if the registry patch truly worked as desired.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\MGlogs.zip

 

As I suspected, the registry patch did not work. Did you have McAfee fully shutdown as requested befor running the patch? If not you should try again but ONLY with McAfee shutdown. Then reboot and see if it worked. You can look at the hijackthis.txt log in a new MGlogs.zip to check for yourself. If you still see the below corrupted entries, it did not work.

 

Sort of but not completely. This may be the best you can easily do.

Yes and it must be the first line. Nothing can be before it.

Let's try this different patch where we will delete the whole "Run" key and then restore it.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now shutdown McAfee and download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

 

That looks better. Are you still having problems?

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Just run step 7 first and then start back at step 2 ( ignore step 1). MGclean.bat will take care of most of it.

 

Why are you running the READ & RUN ME FIRST again????? My last instructions were for final cleanup because we had finished with malware removal.​

 

Just needed to finish what was in message #25, but let me give those instructions to you again since they have change slightly.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Try reinstalling System Restore.

http://bertk.mvps.org/html/reinstall.html

But this may not be the problem. The problem may be due to the fact that you are getting too low on free hard disk space. Your hard disk is extremely small by today's standards.

What happens? Per your last logs, McAfee was still installed. It may be time to switch to something else.