Vista home premium updates & other issues

Welcome to the Malware Removal Forum.

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Hi CyberJoyce :wave

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

Uninstall the below:

• CouponBar
• Fast Browser Search (My Face lol)

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 2 detections:

• [TASK][ROGUE ST] 4670 : wscript.exe C:\Users\Aline\AppData\Local\Temp\launchie.vbs //B -> TROUVÉ
• [TASK][SUSP PATH] IHUninstallTrackingTASK : CMD /C DEL C:\Users\Aline\AppData\Local\Temp\IHU9814.tmp.exe -> TROUVÉ

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

and the same for entries in the files/folder tab

• [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-2417277612-908909682-2248592819-1000\$da97d96e5ece36298dde8163bfe468de\@ --> TROUVÉ
• [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2417277612-908909682-2248592819-1000\$da97d96e5ece36298dde8163bfe468de\U --> TROUVÉ
• [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2417277612-908909682-2248592819-1000\$da97d96e5ece36298dde8163bfe468de\L --> TROUVÉ

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.


Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
• O2 - BHO: (no name) - {4daac69c-cba7-45e2-9bc8-1044483d3352} - (no file)
• O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - (no file)
• O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
• O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
• O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
• O3 - Toolbar: (no name) - {4daac69c-cba7-45e2-9bc8-1044483d3352} - (no file)
• O3 - Toolbar: (no name) - {ecce0073-a837-45a2-95b9-600420505f7e} - (no file)
• O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
• O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
• O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
• O9 - Extra button: Remplir - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - (no file)
• O9 - Extra 'Tools' menuitem: Remplir le formulaire - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - (no file)
• O9 - Extra button: Enregistrer - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - (no file)
• O9 - Extra 'Tools' menuitem: Enregistrer le formulaire - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - (no file)
• O9 - Extra button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - (no file)
• O9 - Extra 'Tools' menuitem: Barre RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - (no file)
• O9 - Extra button: Web Snapshot - {954A224B-F501-4911-A8BF-6709A048FD77} - (no file) (HKCU)
• O9 - Extra 'Tools' menuitem: Web Snapshot - {954A224B-F501-4911-A8BF-6709A048FD77} - (no file) (HKCU)
• O18 - Protocol: skype-ie-addon-data - (no CLSID) - (no file)

After clicking Fix exit HJT.



Rerun Hitman and have it delete:
Malware remnants and Potential Unwanted Programs

Open up Services, scroll down to the Background Intelligent Transfer Service if it shows and let me know the status and start up type please.

What's inside this folder?

C:\ProgramData\DE8B2D457FD1CB06001EDE8B0E85960C

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

I'll be waiting for you to attach the remaining logs.

 

Apologies, Joyce, will review those logs as soon as possible now. Maybe the post was stuck in moderation or something but it's cleared now.

 

I'm based in the UK I am afraid but thanks for the kind words! The Winter Carnival sounds amazing.

Re run Hitman and have it delete Malware remnants and Potential Unwanted Programs.

If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
• O3 - Toolbar: (no name) - {4daac69c-cba7-45e2-9bc8-1044483d3352} - (no file)
• O3 - Toolbar: (no name) - {ecce0073-a837-45a2-95b9-600420505f7e} - (no file)
• O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
• O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
• O4 - HKLM\..\Run: [GamingWonderland Search Scope Monitor] "C:\PROGRA~1\GAMING~2\bar\1.bin\gtsrchmn.exe" /m=2 /w /h
• O4 - HKLM\..\Run: [GamingWonderland Browser Plugin Loader] C:\PROGRA~1\GAMING~2\bar\1.bin\gtbrmon.exe
• O4 - HKLM\..\Run: [DataMngr] C:\PROGRA~1\WI9130~1\DataMngr\DataMngrUI.exe

After clicking Fix exit HJT.



Delete this folder: C:\ProgramData\DE8B2D457FD1CB06001EDE8B0E85960C

Download this file to your desktop BITS.reg

• Now please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the BFE.reg file saved to your Desktop and double click it. Allow it to be added to the registry.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Open up services, scroll down to the Background Intelligent Transfer Service and let me know its status and start up type IF it appears.

 

Do this again as previously instructed:

Download this file to your desktop BITS.reg

• Now please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the BITS.reg file saved to your Desktop and double click it. Allow it to be added to the registry.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Is it showing in services now?

 

Hello cyberjoyce. Please take a look at Windows Update error 80073712

There are a couple of things to try there.

Now, in the mean time , please do this:

Uninstall the below using Revo Uninstaller.

• Fast Browser Search (My Face lol)
  [*]CouponBar

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Delete this folder

• C:\ProgramData\GameXN

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

You are forgetting the below which are part of this:

The user installed this when they installed Skype. See >> http://www.easybitsmedia.com/WhatsNewInEasyBitsGO

 

Looks like Kestrel13! was thinking I was picking up this thread which was not the case. I was just pointing out some items being missed. However now that this is slipping down a little, I will continue.

Your issue with Windows Update may have to be worked in the Software Forum as it does not appear to be a malware issue especially since you could get some updates and not others. My first suggestion though would be to totally disable AVG and any firewall and see if you can get updates. If that does not work then uninstall AVG and see if it helps. Possible reasons for broken Windows Update is due to you running things like below in the past:

Advanced Registry Optimizer

Registry cleaning is not recommended and neither are performance tweaking tools. Sooner or later, people run into issues due to using them. Sometimes they don't notice the issues for months since what may have been broken by these tools may be something not frequently accessed/used.

Also note the below file may provide some useful info if you need to go to the Software Forum for this:

C:\Windows\WindowsUpdate.log

You also have some left overs from Radial Point Software ( as security/antivirus program ) that you probably got from your ISP at some point in time. This needs to be cleaned up as it can cause problems and conflicts with AVG.

Uninstall the below.
RPS CRT
RPS CRT
RPS CRT
RPS CRT
RPS PerfectDiskStub
RPS RpsCore

If you don't see them, check to see if the below names exist:

{097BF3FA-6D71-4D5A-BEAD-BE775156FBDA}
{176A23AD-3A1F-4EAB-8F49-A41692F5E64C}
{1FE8C6F5-003D-4CA3-B01D-8C0135CC0FF8}
{58CA56FB-F33E-4CE2-B2EA-EA0BFC96AF0A}
{F22B6F59-D6A5-4FA1-A913-D821A9F53DD6}
{FD10F65E-A274-47AC-A118-91E4628AB9F7}

Let me know the results. We can run a fix to remove them if necessary.

Also note that you did not get rid of all of GameXN yet. I still see files and the ezGOSvc service from it. I will wait to make a single fix though if the above items cannot be uninstalled.

We will also add removing the rest of CouponBar and also BitDefender Threat Scanner service to delete.

 

My apologies.

 

See if you can run the the Microsoft's System Update Readiness Tool for Vista as in the below.

http://support.microsoft.com/kb/947821

 

We cannot help you with purchasing CDs for Vista. You can search just as well as we can for best prices. It does look like you have a factory partition on your hard disk which could be used to reimage your drive. I saw the below in your logs.

Code:

Volume 2     D   FACTORY_IMA  NTFS   Partition     10 G   Sain      

Okay then it probably will not be fixed by anything we would do here in the malware forum. This is a Windows issue not a malware issue. However let's finish with some of the items I mentioned previously.

First I want to make sure that you have uninstall AVG as requested. If it is not uninstall ( or you reinstalled it or any other antivirus ) uninstall now before continuing.


Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.


Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
:Services
scan
BitDefender Threat Scanner
ezGOSvc
 
:Files
C:\Users\Aline\AppData\Roaming\AVG2013
C:\Users\Aline\AppData\Local\Avg2013
C:\ProgramData\Agnitum
C:\ProgramData\AVG2013
C:\Users\Aline\AppData\Local\Temp\*.*
C:\Windows\Temp\*.*
C:\Windows\System32\drivers\avgidshx.sys
C:\Windows\System32\drivers\avgidsshimx.sys
C:\Windows\System32\drivers\avgidsdriverx.sys
C:\Windows\System32\drivers\avgldx86.sys
C:\Windows\System32\drivers\avglogx.sys
C:\Windows\System32\drivers\avgmfx86.sys
C:\Windows\System32\drivers\avgtdix.sys
C:\Windows\System32\drivers\rp_pkt32.sys
C:\Windows\System32\drivers\rp_skt32.sys
MsiExec.exe /I{097BF3FA-6D71-4D5A-BEAD-BE775156FBDA}
MsiExec.exe /I{176A23AD-3A1F-4EAB-8F49-A41692F5E64C}
MsiExec.exe /I{1FE8C6F5-003D-4CA3-B01D-8C0135CC0FF8}
MsiExec.exe /I{58CA56FB-F33E-4CE2-B2EA-EA0BFC96AF0A}
MsiExec.exe /I{F22B6F59-D6A5-4FA1-A913-D821A9F53DD6}
MsiExec.exe /I{FD10F65E-A274-47AC-A118-91E4628AB9F7}
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{097BF3FA-6D71-4D5A-BEAD-BE775156FBDA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{176A23AD-3A1F-4EAB-8F49-A41692F5E64C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1FE8C6F5-003D-4CA3-B01D-8C0135CC0FF8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58CA56FB-F33E-4CE2-B2EA-EA0BFC96AF0A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F22B6F59-D6A5-4FA1-A913-D821A9F53DD6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FD10F65E-A274-47AC-A118-91E4628AB9F7}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"=-
"FileHippo.com"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SunJavaUpdateReg"=-
[HKEY_USERS\S-1-5-21-2417277612-908909682-2248592819-1000\Software\Microsoft\Windows\CurrentVersion\run]
"WMPNSCFG"=-
"FileHippo.com"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0BE365B7-D50B-439F-8AE1-A0FF24C95C1E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{14327B34-BAEF-4264-ADB9-188FE5115506}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{483830EE-A4CD-4b71-B0A3-3D82E62A6909}]
:Commands
[purity]
 
[EmptyTemp]
[start explorer]

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Doing this restore undoes what we already fixed. Which restore point date did you use.

I don't know what you are referring to. I had no file from Microsoft in my last fix. Earlier I sent you to Microsoft link but you said you already did that.

I think it is time for you to use the factory image to reimage your PC.

 

This is also something you will need to work on in the Software Forum. You will need to provide the manufacturer name and model of the PC. Typically there are key sequences you can use at startup to get a menu to do this. Each vendor can be somewhat different.