Removing Malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by Bellyn, Aug 7, 2013.

  1. Bellyn

    Bellyn Private E-2

    Hello
    I am trying to fix my sons laptop which he uses mainly for games and the internet. The laptop has many issues, it has a virus which has changed windows ie and will not allow trend micro to scan. My service provider has informed me that a pc accessing the server (from my account) is infected with the trojan zeus.

    I have followed the read and run me first directions and performed all requests without issue except for the Hitman pro, after running the scan I ignored any action as requested and clicked next but instead of bringing up a window with scan results it was a window which asked for activation either with a code, payment or by activating free for 30 days, I chose the free option and when the activation completed I clicked next and it began resolving the issues, I immediately clicked cancel and I have not saved a log. I could not avoid this and I hope it has not caused any issues.

    I have attached the required logs and was hoping you could help me resolve the many issues that the different tools found. Thank you!

    Kind Regards,
    Belinda.
     

    Attached Files:

    Bellyn, Aug 7, 2013
    #1
  2. Bellyn

    Bellyn Private E-2

    Here are the other logs that I couldn't fit in the first post.
    Thank you
     

    Attached Files:

    Bellyn, Aug 7, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I am going to be deleting any shortcut links to Internet Explorer that I see. They are infected. You should delete ( or manually edit the contents of ) any other shortcut links to other browsers for the same reason. You will have to recreate new shortcuts later.

    Please run the below anti-rootkit tool from Malwarebytes.

    http://blog.malwarebytes.org/news/2013/05/malwarebytes-anti-rootkit-beta-1-06/

    Attach a log from the above.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&u...MQ01ABD100_92J9P1FVTXX92J9P1FVT&ts=1372872076
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snapdo.com/?publisher=S...ype=ds&q={searchTerms}&installDate=25/04/2013
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snapdo.com/?publisher=S...ype=ds&q={searchTerms}&installDate=25/04/2013
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&u...MQ01ABD100_92J9P1FVTXX92J9P1FVT&ts=1372872076
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qvo6.com/?utm_source=b&u...MQ01ABD100_92J9P1FVTXX92J9P1FVT&ts=1372872076
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snapdo.com/?publisher=S...ype=ds&q={searchTerms}&installDate=25/04/2013
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snapdo.com/?publisher=S...ype=ds&q={searchTerms}&installDate=25/04/2013
    O2 - BHO: Snap.DoEngine - {31ad400d-1b06-4e33-a59a-90c2c140cba0} - mscoree.dll (file missing)
    O3 - Toolbar: Snap.Do - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing)
    O4 - HKCU\..\Run: [Browser Infrastructure Helper] C:\Users\Belinda\AppData\Local\Smartbar\Application\SnapDo.exe startup
    O4 - HKCU\..\Run: [Utywyrsiz] C:\Users\Belinda\AppData\Roaming\Pedo\xeyq.exe
    O4 - HKCU\..\Run: [Gutaig] C:\Users\Belinda\AppData\Roaming\Siti\kyyhu.exe
    O4 - HKCU\..\Run: [Feobmeybhi] C:\Users\Belinda\AppData\Roaming\Popibo\muob.exe
    O4 - HKUS\S-1-5-21-3991063600-1222041750-1478022945-1004\..\Run: [Browser Infrastructure Helper] C:\Users\Ethan\AppData\Local\Smartbar\Application\SnapDo.exe startup (User 'Ethan')
    O4 - Startup: MyPC Backup.lnk = C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Users\Belinda\Desktop\setup.exe                                         
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
C:\Users\Belinda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
C:\Program Files (x86)\SmartPCFix
C:\windows\tasks\SmartPCFix Task.job
C:\Program Files (x86)\MyPC Backup
C:\ProgramData\eSafe\eGdpSvc.exe
C:\Users\Belinda\AppData\Local\Smartbar\Application\SnapDo.exe
C:\Users\Belinda\AppData\Roaming\Siti\kyyhu.exe
C:\Users\Belinda\AppData\Roaming\Popibo\muob.exe
C:\Users\Belinda\AppData\Roaming\Pedo\xeyq.exe
C:\$Recycle.Bin\S-1-5-21-3991063600-1222041750-1478022945-1001\$b9f9f5997d18ad6dc54eb37017200ef6\n.
C:\ProgramData\Babylon
C:\Users\Belinda\AppData\LocalLow\Delta
C:\windows\TEMP\*.*
C:\Users\Belinda\AppData\Local\Temp*.* 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltaHlpr.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltaHlpr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1001\Software\BabylonToolbar]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1001\Software\DataMngr]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1001\Software\DataMngr_Toolbar]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1001\Software\Softonic]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1004\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1004\Software\Microsoft\Internet Explorer\Main\bProtector Start Page]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1004\Software\Microsoft\Internet Explorer\SearchScopes\bProtectorDefaultScope]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1004\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1004\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Infrastructure Helper"=-
"Utywyrsiz"=-
"Gutaig"=-
"Feobmeybhi"=-
[HKEY_USERS\S-1-5-21-3991063600-1222041750-1478022945-1001\Software\Microsoft\Windows\CurrentVersion\run]
"Utywyrsiz"=-
"Gutaig"=-
"Feobmeybhi"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0D7C186F-49CF-4528-B1A9-A59C61BBB9F3}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the Malwarebytes Anti-Rootkit log
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 8, 2013
    #3
  4. Bellyn

    Bellyn Private E-2

    Hi,
    I have completed everything and only had the following issue:

    I was using the ie app from the start page because ie on my taskbar was infected, at some point (possibly after I run mgtools) my ie app has disappeared.

    The good news is ie from my desktop appears to be fixed and has reset to the google page:) Trend Micro is still appearing and disappearing when I click on it, and some things like restarting the laptop take a long time.

    I appreciate your help, thank you!

    Belinda.
     

    Attached Files:

    Bellyn, Aug 8, 2013
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Remember I said the below? ;)
    You will have to create a new one in quick launch by dragging from your good one on the Desktop.

    Please rerun Malwarebytes Anti-Rootkit and this time fix the problems it finds.
    Then immediately reboot. After reboot, run a new scan and attach the new log from it.

    Then run a new scan with RogueKiller and attach the new log.
     
    Last edited: Aug 8, 2013
    chaslang, Aug 8, 2013
    #5
  6. Bellyn

    Bellyn Private E-2

    Hi, sorry, I realized after I posted :-o. I have attached logs. Restarting is much faster.

    Thanks,
    Belinda
     

    Attached Files:

    Bellyn, Aug 8, 2013
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that looks significantly better now. ;)

    How are things working?
     
    chaslang, Aug 8, 2013
    #7
  8. Bellyn

    Bellyn Private E-2

    Hi, everything is back to normal and the laptop is running at normal speed. I still can't bring up trend micro, it starts to open and disappears.

    I really appreciate your help, thank you!
     
    Bellyn, Aug 8, 2013
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Uninstall it. Then reboot and reinstall. Did that work?
     
    chaslang, Aug 9, 2013
    #9
  10. Bellyn

    Bellyn Private E-2

    Yes, It's working fine now. It prompted me to remove malwarebytes anti malware during reinstallation which I allowed. Thank you.
     
    Bellyn, Aug 9, 2013
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 9, 2013
    #11
  12. Bellyn

    Bellyn Private E-2

    I have completed the final steps, the laptop is running good :).

    Unfortunately I have one more issue, while deleting some unnecessary programs and files I could not delete snap.do and snap.do Engine via uninstall programs.

    Belinda.
     
    Bellyn, Aug 10, 2013
    #12
  13. Bellyn

    Bellyn Private E-2

    Hello,

    sorry to bump this to the top but I've just come across some more issues. I cannot access windows firewall, I ran Malwarebytes anti-malware and it found 88 instances of PUP Optional.Quickshare.A and PUP Optional.DriverScanner.A. Other then that there does not seem to be any other issues.

    Thank you,:)
    Belinda.
     
    Bellyn, Aug 10, 2013
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    PUP = Potentially Unwanted Program

    DriverScanner is something you chose to install. It is in your installed programs list. If you do not want it installed you can uninstall it. It is just junk from Uniblue. Personally, I would remove it.

    The below registry patch should remove the left over registry entry from Snap.Do which is really not running/installed anymore.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    For the issue with the Windows Firewall, see if the below corrects it.


    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished. If it does not then reboot it yourself.

    Any change?
     
    Last edited: Aug 10, 2013
    chaslang, Aug 10, 2013
    #14
  15. Bellyn

    Bellyn Private E-2

    Hi,

    I have completed registry patch and received a success message. I have followed the instructions for downloading Windows repair but I am unable to select Reset Registry Permissions, it has in brackets (disabled in Windows 8 due to App store bug). Thank you!
    Belinda
     
    Bellyn, Aug 10, 2013
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then skip that selection and any others it does not allow for Win 8.
     
    chaslang, Aug 10, 2013
    #16
  17. Bellyn

    Bellyn Private E-2

    Hi, I was able to choose all the others. It has finished already and PC restarted, unfortunately it hasn't fixed windows firewall.

    Thanks,
    Belinda
     
    Bellyn, Aug 10, 2013
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto the below link and download the BFE.reg and MpsSvc.reg registry patches and save them to your Desktop.

    http://download.bleepingcomputer.com/win-services/8/

    • Now please click Start, and type regedit into the search box.
    • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
    • Right click on regedit.exe and select Run As Administrator
    • Then in the Registry Editor menu click File and select Import.
    • Navigate to the BFE.reg file saved to your Desktop and double click it. Allow it to be added to the registry. Repeat this for the MpsSvc.reg file.
    Now reboot your PC.

    After reboot, see if the firewall is working. If it is still not working, please do the below.

    Download the new version of MGtools and save it to your root folder. Overwrite any previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista, Win7, or Win8, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below logs:
    • C:\MGlogs.zip
     
    chaslang, Aug 10, 2013
    #18
  19. Bellyn

    Bellyn Private E-2

    Hi,

    I have attached the mgtools log, the first fix didn't work.

    I am now receiving a regular message on my task bar with the heading (check virus protection) Windows Defender and Trend Micro are both turned off. Trend Micro is working and is showing as protected.

    Thanks, :)
    Belinda
     

    Attached Files:

    Bellyn, Aug 10, 2013
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What exactly happened? Did they import/merge without any error messages?

    The new MGtools did not run properly. Disable your protection software and run it again. Make sure you use Run As Administrator and let it finish running before attaching the log.
     
    chaslang, Aug 10, 2013
    #20
  21. Bellyn

    Bellyn Private E-2

    Hi,

    I'm very sorry for the confusion on my part, I was still thinking of the previous windows repair results. Yes I received a success message both times when they merged, I restarted the laptop but there was no change.

    I have attached the new mgtools log, which I run with trend micro off this time.

    Thank you for your patience :)

    Belinda.
     

    Attached Files:

    Bellyn, Aug 10, 2013
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Okay, that did get the missing registry entries for the services added back in and I can see that the BFE service is now running but the below is still seen
    Code:
    .
   Windows Firewall Service is NOT running  
        C:\windows\system32\FirewallAPI.dll exists
    I want to see exactly what error messages may be occurring if we try to start this sevrice manually. So follow the below instructions:
    • Hold down the Winodows Logo key while also pressing the r key ( Windows + r ).
    • This should open the Run dialog box. Type services.msc into the Open: box and click OK.
    • This should open the Services form.
    • Scroll down to the Windows Firewall line item and double click it and the Windows Firewall Properties form will open.
    • On this form make sure the Startup type: is set to Automatic and also change the Service status: from Stopped to Running by clicking the Start button.
    • Does it change to Running or is there an error message? If an error occurs, tell me the exact word for word error message.
     
    Last edited: Aug 13, 2013
    chaslang, Aug 13, 2013
    #22
  23. Bellyn

    Bellyn Private E-2

    Hi, I received the following error message:

    Windows could not start the windows firewall on Local Computer. For more information review the System Event Log. If this is a non Microsoft service, contact the service vendor, and refer to service error code 5.

    A few other issues have appeared, the trend micro icon on the desk top has disappeared and I can't launch trend micro from the start screen, the IE icon has disappeared also. There are several errors in the action center, two messages state that windows defender and trend micro are both turned off, and one about the windows firewall.

    A zone alarm icon has also appeared in the hidden desk top icons and when I hold the arrow over it, it says installation in progress, but I don't have zone alarm installed.

    Thank you :)
    Belinda.
     
    Bellyn, Aug 13, 2013
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually you never really got it uninstalled properly. Several items still show in your logs and this could be part of your problem. Try running the below:

    Zone Alarm Uninstall 11.0.054.000

    Also uninstall any traces of Trend Micro that you have installed and do not reinstall ( at least now yet!!! I want to make sure it does not get in our way of cleanup.)


    Then reboot your PC. After reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
     
    chaslang, Aug 13, 2013
    #24
  25. Bellyn

    Bellyn Private E-2

    Hi, here is the log

    Thanks, :)
    Belinda
     

    Attached Files:

    Bellyn, Aug 13, 2013
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay ZoneAlarm is still not completely gone. We will force it and some other unwanted items out. But first a question! Do you know what the below items are for?
    Code:
    d-----w                 0 2013-08-02 06:29:46  C:\Program Files (x86)\Project64 1.6
d-----w                 0 2013-08-09 07:29:17  C:\Program Files (x86)\Project64 2.0
    Now please disable UAC and keep it disable until we are completely finished with cleanup. I see it enabled in per your logs. At least some part of it is disabled because the below value is set to 1
    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe


:Files
C:\Users\Belinda\Desktop\MyPC Backup.lnk
C:\Program Files (x86)\Check Point Software Technologies LTD
C:\ProgramData\AVG
C:\ProgramData\CheckPoint
C:\ProgramData\Trend Micro
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue
C:\Program Files (x86)\CheckPoint
C:\Program Files (x86)\Uniblue
C:\windows\tasks\dsmonitor.job
C:\windows\TEMP\*.*
C:\Users\Belinda\AppData\Local\Temp\*.*


:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm Security Toolbar]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{10244EFB-BB92-43B1-931D-A8224C4BB736}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{10244EFB-BB92-43B1-931D-A8224C4BB736}"
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 14, 2013
    #26
  27. Bellyn

    Bellyn Private E-2

    Hi,
    I believe they are associated with some Nintendo 64 emulation program that my son downloaded, or something to do with the game.
    Thank you I will complete the rest now.
    Belinda :)
     
    Bellyn, Aug 14, 2013
    #27
  28. Bellyn

    Bellyn Private E-2

    Hi,
    I checked the UAC and the slider was set to never notify. I have attached the logs, I still seem to be having the same issues with Windows Firewall. Windows defender turned itself on, should I leave this?

    Thank you, :)
    Belinda.
     

    Attached Files:

    Bellyn, Aug 14, 2013
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes this is normal. In Windows 8, Windows Defender replaced what Microsoft Security Essentials used to be for Win 7 and below. That is it is both an antivirus and an antispyware program. A feature that Microsoft added in was to automatically disable Windows Defender if a third part antivirus is installed. Similarly, it automaticall enabled when no third part anntivirus is installed. And we just removed TrendMicro. ;)


    Yes I can see the below in the nwktst.txt log that is part of MGlogs.zip
    Code:
    =====================================================================================  
Checking Windows Firewall Service -[B]MpsSvc[/B]- State 
.
   [B][COLOR=red]Windows Firewall Service is NOT running[/COLOR][/B]  
        C:\windows\system32\FirewallAPI.dll exists
    The Windows Firewall short service name is MpsSvc and something is stopping it from getting started even after we fixed a bunch of other services that were broken. I was concerned with the possibility of a permissions issue which was why asked you to run Windows Repair from Tweaking.com but you cannot run the permissions fixes on Win 8.

    Please follow the below instructions.


    First we are going to run the Windows System File Checker program.
    • Hold down the Winodows Logo key while also pressing the r key ( Windows + r ).
    • This should open the Run dialog box. Type c:\windows\system32 into the Open: box and click OK.
    • This should open up a Windows Explorer window with the system32 folder shown.
    • Scroll down in this window until you see the cmd.exe file ( should have a little black command prompt window icon ).
    • Right click on cmd.exe and select Run As Administrator. If you get prompted about running this, just approve it.
    • Now in the command prompt window type the below and click OK. Note: There is a space after the sfc.
      • sfc /scannow
    • This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.
    • Reboot your PC after this has finished running. When it finishes, you should just see the command line prompt return.

    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.
     
    chaslang, Aug 14, 2013
    #29
  30. Bellyn

    Bellyn Private E-2

    Hi,
    Here is the log.

    Thanks :)
     

    Attached Files:

    • FSS.txt
      File size:
      2.8 KB
      Views:
      4
    Bellyn, Aug 15, 2013
    #30
  31. Bellyn

    Bellyn Private E-2

    Hi,
    Last night I decided to perform a system restore. After deleting all the files and music etc the only thing left that my son wanted to keep was steam, and a few other games. The games can be reinstalled if they are safe, so I went ahead and performed the restore.

    The laptop is back to how is was when I purchased it. Toshiba preinstalled norton so my only issue now (i hope) is how to remove norton and install my purchased copy of trend micro, or if I should use either :confused

    Im hoping that no damage was done that will cause issues down the track. I really appreciate your help and time. This site is great :)

    Thank you,
    Belinda
     
    Bellyn, Aug 15, 2013
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You;re welcome.
    Okay, that is a factory restore as opposed to a system restore. ;) Too bad I could not get back to you last night before this. I had one more thing to try as I still suspected it was a permissions issue that needed to be fixed. And we could not use Windows Repair to do this. I was going to give step by step instructions to add an Everyone user account to the registry key for the Windows 8 firewall. And then we would grant it full permissions. My guess is that this would have fixed the final issue because it was not due to any remaining malware and other services had already been fixed.

    That's up to you. Stick with what you like and feel comfortable with but make sure that if you decide to use TrendMicro that you 100% uninstall the Norton trial stuff first!

    You probably have a lot of other junk that was preinstalled that you also do not need or want.
     
    chaslang, Aug 15, 2013
    #32
  33. Bellyn

    Bellyn Private E-2

    Hi,
    I would have liked to fix the problem, but I realised it would be beneficial to have everything cleaned and there wasn't anything to save.

    There's heaps of apps and things to remove. I'm going to search majorgeeks for info on Norton, I'm starting to think it might be easier to leave it. I'll do some research on other brands.

    If I do remove Norton, I'll definitely be very careful to do it properly. Norton has windows firewall disabled so I haven't seen it working yet, I admit it's making me nervous :-D.

    Thank you,
    Belinda.
     
    Bellyn, Aug 16, 2013
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Norton's Security Suite has its own firewall and that will automatically disable the Windows Firewall. The TrendMicro application you were using does not have a firewall. They imply they enhance the Windows firewall.

    You will see a lot of negative comments about Norton. Many justified for older vintages of software. The newer versions are actually not as bad. You will hvae to judge for yourself how it affects your PC's performance.
     
    chaslang, Aug 16, 2013
    #34

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds