Malicious programs downloaded

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Beseech, May 17, 2013.

  1. Beseech

    Beseech Private E-2

    This might be slightly long, but bear with me; this is interesting.

    So, last night I allowed my idiot tenant to show me a website called 1channel.ch. It has free movies to downstream. Anyway, I wasn't watching closely what he was doing, but he did something wrong.

    Somehow, in the span of a minute, he downloaded a several programs. I think they were called: Optimizer Pro, My PCBackup, Whitesmoke toolbar, and Search.conduit webpage/search engine.

    I looked at the history of IE (which he used) and within that span of a minute or two he apparently accessed eighteen different websites--which is impossible. He really only went to 1channel. (I can list the websites if you want me to.)

    Anyway, I tried to delete these programs. I eventually deleted everything, but it was very difficult: the programs simply wouldn't uninstall.

    Search.conduit and whitesmoke toolbar took over both IE and Chrome, even though my tenant used IE, and IE was the default browser.
    Search.conduit displaced the homepage without permission. Search.conduit was especially difficult to remove. Even after uninstalling it, it remained present.
    Eventually, however, I did eliminate it.

    So my questions are briefly:

    What exactly happened? How could IE's history say that 18 different webpages were accessed in a span of a minute, when he only went to one webpage, namely 1channel.ch?
    Is 1channel.ch a safe website to visit?

    What is search.conduit? Why did it displace my homepages in both Chrome and IE without permission?

    Is whitesmoke toolbar safe? How was it suddenly downloaded?

    What about Optimizer Pro? and My PCBackup?

    While Optimizer Pro was downloading, I couldn't even stop the download--it wouldn't let me. I even tried forcing a stop-download through task manager, and it wouldn't allow me to. I had to shut down my computer to halt it.

    Important:

    Even though I seem to have fixed everything, is it possible that there could be some malicious program or anything else residing on my computer? I ran an AV scan and nothing was found, but could there be anything else malicious. I'm a little worried because I don't want hackers getting into my computer.
     
    Beseech, May 17, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    One page can load links to many different websites.


    That's why it is called malware/junkware. ;)

    No it is not safe. It was downloaded when you allowed him to access questionable sites that downloaded loads of junkware.

    More malware/junkware.


    You should run thru the below:


    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, May 18, 2013
    #2
  3. Beseech

    Beseech Private E-2

    Hi Chaslang, thanks for responding to my post. :)

    So, I guess I will have to run Malware Removal. You directed me to the Malware Removal Guide, which I then read.

    Step 2 says that I must have only one of AV and one firewall program. I think that I only have one of each, though not totally sure. I know that Norton 360 AV and firewall are enabled.

    Step 4: I must disable Disk Emulation Software. I followed the link and it says to download DeFogger. Should I go ahead and download DeFogger?

    Step 5: I don't currently have CCleaner. Should I download it? (Note that I haven't NOTICED any missing icons, items from Start menu, Programs, etc.)

    After this I'll be ready to run the cleaning procedure of Step 6.
     
    Beseech, May 19, 2013
    #3
  4. Beseech

    Beseech Private E-2

    Hi,

    So I went through the Malware Removal Guide, and to disable Disk Emulation Software, I tried to download DeFogger.

    But there was a problem with it: I downloaded it and it asked if I wanted to
    "allow the following program from an unknown publisher to make changes to this computer."

    I clicked Yes. Then a pop up box appeared which asked something about "re-enabling". I clicked Yes, so that I could proceed. Then another pop-up box appeared, and I clicked "Re-enable" (so that I could continue).

    But a pop-up box then appeared. It said, "Unable to Open."

    I tried the process a few more times. And although I wasn't able to continue past the "Re-enable" button, it now says that DeFogger is working.

    I don't know how to make sense of all this. Please help me out. I really need it. (I think that it's probably working in my system now, just not certain.) :)


    I also downloaded CCleaner. I hope I did it correctly--It directed me to a website called Piriform which asked for my email address to get newsletters about CCleaner. I entered my email address. Piriform is not another malicious website is it? I worried about that now.
     
    Last edited: May 20, 2013
    Beseech, May 20, 2013
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    You only need to do this if you are using disc emulation software. If not using any or not sure, or if having a problem with it, just skip it and continue with the next steps.

    Yes install it and run as instructed. The warning is there for malware cases that have remove icons from the desktop or have remove entries from the start menu or quick launch ....etc. You would know if you had this kind of malware. ;)
     
    chaslang, May 20, 2013
    #5
  6. Beseech

    Beseech Private E-2

    Chaslang, I don't mean to ask a stupid question, but I'm a bit confused:

    I am going to run CCleaner, and the instructions are to run the default settings on the Windows tab; and not to run any of the options on the other tabs. The only other tab is Applications; so am I to deselect all of the checked boxes in the Applications tab?

    Why do the applications not need to be cleaned? Why are they to be deselected?
     
    Beseech, May 21, 2013
    #6
  7. Beseech

    Beseech Private E-2

    (Please notice that I have another post immediately before this one.)

    So I downloaded all of the "Downloading Tools" (Step 1) of the "Vista and Win 7 Malware Removal/Cleaning Procedure."

    I downloaded all of them to my Desktop; I hope that's correct.

    For the Malwarebytes Anti-Malware program, I changed the name to mb by right-clicking the Desktop icon and selecting "rename". I hope this is correct.
    (Also, the instructions do not say where to download Malwarebytes, so I put it on Desktop, like the others.)

    Also note that I received a warning symbol for Malwarebytes, saying: "This type of file can harm your computer. Do you want to keep mbam-setup-1.75.0....exe anyway?" And there's a Keep and a Discard button.

    Please clarify these issues for me. :)


    I also want to note that some of these programs I downloaded more than once. Should I delete the other downloaded instances? How should I do so? :)
     
    Last edited: May 21, 2013
    Beseech, May 21, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that. It was a bit unclear. I changed the instructions. Take a look at them now and see if it is more clear. :)
     
    chaslang, May 22, 2013
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's fine.

    Renaming is really only something to try if you have problems running the programs with the original names. Sometimes malware will block the execution simply by looking for the original filename. So this is just a quick workaround the sometimes will help.

    Anything you are downloading from us is not a problem and obviously we need you to download it and keep it. So yes, you need to download it. Windows and other security programs will question executable downloads in an attempt to protect you. You have to understand the difference between something you are electing to download yourself, and something they tries to download without your permission. ;)

    You only need the most recent download and it will simplify things for you to put them on your Desktop. You can right click on files and select Delete to remove them.
     
    chaslang, May 22, 2013
    #9
  10. Beseech

    Beseech Private E-2

    I'm sorry chaslang, but it's still ambiguous to me. :( I pretty sure you mean that I'm not to deselect any of the checkboxes on the Applications tab, but to leave the default checkmarks on both the Windows and Applications tab. But I get confused by (see bolded and underlined):

    • Download and install CCleaner
    • Now run Ccleaner with all the default options except that if desired, you can uncheck the Cookies check box to avoid loosing saved passwords. Do not change anything else.
    • Only run the Cleaner function by clicking the Run Cleaner button twoards the bottom right. DO NOT, I repeat, DO NOT select the Registry option in the left column and DO NOT clean the registry. Do not run any other options from other tabs.

    (This latter sentence seems to say to deselect checkboxes in Applications tab.)

    What's worse, is that after I downloaded CCleaner, I unchecked the boxes in the Applications tab and ran CCleaner. Now, when I open CCleaner, the boxes on Applications tab are still delected and unfortunately, I don't know what checkboxes were checkmarked, by default.

    Am I to delete CCleaner program and reinstall it, so that all of the default checkboxes are checkmarked?
     
    Beseech, May 23, 2013
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not a problem. This is how we get things to be understandable by everyone. ;) Comments from people like yourself only serve to make it easier for everyone else after you.

    Take a look at it again and see if it makes more sense now.
     
    chaslang, May 24, 2013
    #11
  12. Beseech

    Beseech Private E-2

    Hi chaslang,

    I ran CCleaner and the five anti-malware programs. Many threats were found and I followed the instructions given. I have attached the five logs.

    I must note that HitmanPro was one of the programs that discovered a lot of infections. I was instructed to press ignore for all of them, so I will now need the further instructions to delete them.

    On MGTools, for some reason, as it was extracting everything, a window appeared which asked if I was to accept the Terms of Service for a program called HiJackThis. There was nothing in the instructions about that program, nor did I ever willingly choose to download it, so I clicked the upper-right box to close that window. I don't know what to make of this.

    Also, what might be of some importance is that when I clicked the desktop icon for TDSKiller, it wasn't a zip file, but .exe, so it did NOT ask if I wanted to run the file; the program simply opened. I don't know why.

    I must also note that when HitmanPro was being set up, at the part where it asked:

    "Would you like to store a copy of the HitmanPro program file on this computer?"

    the directions were to click:

    "No, I only want to perform a one-time scan to check this computer."

    Instead, I clicked:

    "Yes, create a copy of HitmanPro so I can regularly scan this computer."

    And I left the default checkmarks, so that it automatically scans the computer daily during startup, and creates shortcuts on the desktop and start menu.


    I just thought I'd mention that; it hope it's not a matter of much importance. :)
     

    Attached Files:

    Last edited: May 25, 2013
    Beseech, May 25, 2013
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In the instructions the below was given
    Apparently you did not click the Using MGtools link which explains HijackThis and that you needed to click the Accept button twice. ;)
    What is the below very large file on your Desktop and why is it named like this? It makes it look like malware.
    Code:
     
----a-w       404,948,362 2013-04-20 04:28:57  C:\Users\Philip\Desktop\15A6SS7S1CDCKW8
    Did you knowingly install GBoost ?


    Uninstall the below software:
    ALOT Appbar
    DealPly
    DefaultTab
    Java(TM) 6 Update 32
    Wajam

    Now install the current version of Sun Java from: Sun Java Runtime Environment


    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\ProgramData\Tarma Installer
C:\Program Files (x86)\DealPly
C:\Program Files (x86)\Conduit
C:\Program Files (x86)\DefaultTab
C:\Program Files (x86)\Wajam
C:\Program Files (x86)\Yontoo
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DealPly
C:\Users\Philip\AppData\Local\Wajam
C:\Users\Philip\AppData\Roaming\DealPly
C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam
C:\Users\Philip\AppData\LocalLow\alotservice\alotservice.exe
C:\Users\Philip\AppData\Local\Smartbar
C:\Users\Philip\AppData\Local\Temp\*.*
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Infrastructure Helper"=-
[HKEY_USERS\S-1-5-21-4176616683-284122028-969466271-1000\Software\Microsoft\Windows\CurrentVersion\run]
"Browser Infrastructure Helper"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{990D8529-533D-433B-838D-6C8574DF2077}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{990D8529-533D-433B-838D-6C8574DF2077}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0FEEAC12-E12F-44D4-A59F-EF6C086F5237}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{942DD85C-A3C6-43C0-B711-0DA866D628D0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\wajam.WajamBHO.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\wajam.WajamBHO]
[-HKEY_USERS\S-1-5-21-4176616683-284122028-969466271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wajam.WajamBHO]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wajam.WajamDownloader]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\priam_bho.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99066096-8989-4612-841F-621A01D54AD7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{8D8654CD-7FBC-4C7E-84E9-371BFA8DB04E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DealPly]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DealPly]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Wajam]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\WajamUpdater]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WajamUpdater]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\Application\WajamUpdater]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WajamUpdater]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WajamUpdater]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WajamUpdater]
[-HKEY_USERS\.DEFAULT\Software\DealPly]
[-HKEY_USERS\S-1-5-18\Software\DealPly]
[-HKEY_USERS\S-1-5-21-4176616683-284122028-969466271-1000\Software\DealPly]
[-HKEY_USERS\S-1-5-21-4176616683-284122028-969466271-1000\Software\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje\ (Delta Search)
[-HKEY_USERS\S-1-5-21-4176616683-284122028-969466271-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
[-HKEY_USERS\S-1-5-21-4176616683-284122028-969466271-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_USERS\S-1-5-21-4176616683-284122028-969466271-1000\Software\Wajam]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: May 25, 2013
    chaslang, May 25, 2013
    #13
  14. Beseech

    Beseech Private E-2

    I performed the instructions again this time and clicked Accept for HijackThis. I hope it has been done correctly now.


    Actually, I don't know what this is. I wasn't aware that it was on my desktop nor to I know how it got there. If it's malware, I hope that the instructions you've given me deleted it; if not, please tell me how to remove it.

    Yes, I intentionally installed it extremely recently. When my computer was starting to give me problems, I first started posting my questions in the Software forum of MajorGeeks. Someone in there recommended it and he helped me get it installed. He also helped me install Process Lasso, CleanMem and JetBoost.
    What is the issue with GBoost? Should I uninstall it?

    Done. :) Just out of curiosity, what is Wajam? Someone whom I allowed to use my computer installed it.

    I don't know if I installed it correctly. After I downloaded it, the window showed a red button, saying to press it, to ensure that I have the most up-to-date version of JAVA. I did so, and it said that my version was out of date.
    I then noticed a bar at the top of my Chrome window stating that JAVA could NOT be downloaded (I can't recall why), and it presented two button: "Run" and "Allow this time".
    I clicked on Run.
    All in all, I'm vexed and worried because I don't know if it is installed and running, or not; or if I accidentally installed more malware by pressing the "Verify" button. :-o

    Done.:)


    Done. :)
     

    Attached Files:

    Beseech, May 27, 2013
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Right click on it and select delete. Then empty your Recycle Bin.

    Not unless it is causing you problems. I just wanted to make sure you were responsible for it.

    Junkware that most people never know they have installed and it frequently seems to come with other junkware/borderline malware like Babylon Toolbar, Yontoo,.....and the list goes on. All of which you don't want and typical will not uninstall once installed. Hence one of the many reasons for not installing this junk to begin with.

    Seems to have installed based on your logs.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 28, 2013
    #15
  16. Beseech

    Beseech Private E-2

    Firstly, THANKS chaslang for helping me rid my system of all that malware. It's appreciated. :)

    I don't know if I should finish off these steps yet, because the evidence of malware is gone at the moment, I am worried that in the next day or two, more evidence of malware may be produced. (And it will be much more difficult if I have to run through a lot more to reinstall programs, etc. )

    But I have questions:

    In the future, if I think I have problems with malware, what do I do? Is there a handy formula of steps I can take to rid my computer of it? Or should I retrieve this thread and carry out everything you guided me through, every time?

    The important question is: I first sought help on majorgeeks a few weeks ago when I allowed someone to use my computer. Afterwards, when I moved my mouse, the speakers would make a "klunk-klunk" sound every few seconds and the mouse would freeze-up at these moments.
    I don't know if this is a malware problem or virus or if I simply need a new mouse. Today, there's no freezing-up of mouse, and no klunk-klunk. However, I DID have this issue yesterday, even after I finished all the steps you've directed me through.

    So, do you happen to know what this issue is evidence of? (Could it be malware, or maybe just time for a new mouse?)
    If the problem does NOT continue, I will complete the steps you've given in your last post, but if I continue getting this mouse-freeze and klunk-klunk, then what do I do?

    Sorry for the length of my post, but I'm just trying to ensure that we execute everything correctly, so that this thread will be successful and we can end it. :)
     
    Beseech, May 29, 2013
    #16
  17. Beseech

    Beseech Private E-2

    Actually, I'd like to just add that YES, I'm still experiencing the mouse freezes and "klunk-klunk". I really want this to end; I thought that malware was causing it, but even after malware removal I'm still experiencing it. :(

    (Make sure you read my post immediately below this.)
     
    Beseech, May 29, 2013
    #17
  18. Beseech

    Beseech Private E-2

    I forgot to mention:

    When I opened Internet Explorer, I received an unexpected pop-up box, which I screen-captured and attached to this message.
    Is it an important message? I clicked the X to close the window, because I didn't know what to do.

    I also noticed two other suspicious files in my root C drive. I screen-captured and attached to this message. They are files number and four in the list. They are simply long strings of numbers and lower-case letters. They might be benign, or indeed they might be malicious, but they've been there since 2011.
    If they are harmless, what exactly are they? Why so cryptic?
     
    Last edited: May 29, 2013
    Beseech, May 29, 2013
    #18
  19. Beseech

    Beseech Private E-2

    The website messed-up and posted a different file; not the ones I uploaded. So here they are proper.

    Sorry for making so many posts. :-o
     

    Attached Files:

    Beseech, May 29, 2013
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let it attempt to fix your search settings because they are broken.

    They are not problems. They are from Windows Updates.

    I suggest that you post about your mouse problems in the Hardware Forum.
     
    chaslang, May 31, 2013
    #20
  21. Beseech

    Beseech Private E-2

    Hi chaslang.

    I completed the remaining steps and I'm about to complete the final step: "How to Protect yourself from malware!"

    However, there's a problem with Malwarebytes Anti-Malware conflicting with my Norton 360. I attached a screen shot of the pop-up box that explains the conflict.

    What do I do? How can I have both Malwarebytes Anti-Malware and my Norton 360 working without conflict?

    Please help me out. We'll be able to end this thread. :)
     

    Attached Files:

    Beseech, May 31, 2013
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are running the free version of Malwarebytes, it does not provide any active protection. It is a scan only tool. Thus it does not conflict with Norton 360.

    I also do not think there would be a real conflict with the paid version of Malwarebytes either. You may want to read the below:

    http://forums.malwarebytes.org/index.php?showtopic=125465
     
    Last edited: Jun 1, 2013
    chaslang, Jun 1, 2013
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds