mydad

Discussion in 'Malware Help (A Specialist Will Reply)' started by bricht, Oct 18, 2013.

Page 1 of 2
  1. bricht

    bricht Private E-2

    my dad keeps getting malware (he is 80) and I am attaching the logs as requested. I am going to make myself administrator as soon as this computer is clean so my weekends aren't spent repairing the damage.
    please advise my next steps..thanks referred by dorzic
     
    bricht, Oct 18, 2013
    #1
  2. bricht

    bricht Private E-2

    hopefully these attachments will attach
     

    Attached Files:

    bricht, Oct 18, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to also attach logs from the below scans that were requested:
    • Malwarebytes
    • TDSSKiller
    • MGtools
     
    chaslang, Oct 18, 2013
    #3
  4. bricht

    bricht Private E-2

    Sorry for the delay. Comcast screwed up and I was offline for 3 days. More logs are attached. Note: Dad's PC has PC Speed Maximizer on it:(

    I have one more file that won't upload (mbam-log-2013-10-18 (14-17-35).txt) but it doesn't seem to be loading. Will try again.
     

    Attached Files:

    bricht, Oct 21, 2013
    #4
  5. bricht

    bricht Private E-2

    Cannot get last file to upload. It's much bigger than the other 3 mbam files, 2587KB. Any suggestions? Thanks.
     
    bricht, Oct 21, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What last log are you referring to?

    You need to attach the MGlogs.zip from MGtools. GetUnKey.txt is not the correct log. It is just one on many which should be in MGlogs.zip
     
    chaslang, Oct 21, 2013
    #6
  7. bricht

    bricht Private E-2

    Oops. MGlogs.zip attached. I sent 3 files from Malwarebytes. I have 4. The last one is a much larger file and it won't upload.

    The beginning of the log is:
    Malwarebytes Anti-Malware (Trial) 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.10.18.10

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 11.0.9600.16411
    User :: USER-PC [administrator]

    Protection: Enabled

    10/18/2013 2:17:35 PM
    mbam-log-2013-10-18 (14-17-35).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 230284
    Time elapsed: 1 minute(s), 42 second(s)

    Memory Processes Detected: 14
    C:\Program Files (x86)\Movies Toolbar\Datamngr\DatamngrCoordinator.exe (PUP.Optional.Bandoo.A) -> 3288 -> No action taken.
    C:\Program Files (x86)\Movies Toolbar\Datamngr\DatamngrCoordinator.exe (PUP.Optional.Bandoo.A) -> 3168 -> No action taken.
    C:\Program Files (x86)\Movies Toolbar\Datamngr\DatamngrUI.exe (PUP.Optional.Bandoo.A) -> 3308 -> No action taken.
    C:\Users\User\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe (PUP.Optional.DefaultTab.A) -> 3236 -> No action taken.
    C:\Program Files (x86)\Desk 365\desk365.exe (PUP.Optional.Desk365.A) -> 2428 -> No action taken.
    C:\Program Files (x86)\Desk 365\deskSvc.exe (PUP.Optional.Desk365.A) -> 1296 -> No action taken.
    C:\Program Files (x86)\Fast Free Converter\FastFreeConverterUpdt.exe (PUP.Optional.FastFreeConverter.A) -> 3300 -> No action taken.
    C:\Program Files (x86)\Common Files\Umbrella\Umbrella.exe (PUP.Optional.Iminent) -> 3824 -> No action taken.
    C:\Program Files (x86)\Iminent\Iminent.Messengers.exe (PUP.Optional.Iminent.A) -> 2376 -> No action taken.
    C:\Program Files (x86)\Iminent\Iminent.exe (PUP.Optional.Iminent.A) -> 2148 -> No action taken.
    C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe (PUP.Optional.OptimizerPro.A) -> 2112 -> No action taken.
    C:\Users\User\AppData\Local\Smartbar\Application\QuickShare.exe (PUP.Optional.SmartBar.A) -> 2324 -> No action taken.
    C:\Program Files (x86)\PC Health Kit\PCHKReminder.exe (Rogue.PCHealthKit) -> 2212 -> Delete on reboot.
    C:\Program Files (x86)\PC Health Kit\PCHKSmartScan.exe (Rogue.PCHealthKit) -> 1908 -> Delete on reboot.
     

    Attached Files:

    bricht, Oct 21, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you seem to be having some one add more infections each day. Your first logs had very little and now there is more. All normal use of the PC should stop until it is cleaned!!!!

    You can compress the Malwarebytes log into a ZIP file and attach that. But make sure your fix eveything found first and then save the log. What you just posted showed you were taking no action and those are all problems.

    A new log from MGtools will have to be obtained after doing the above.
     
    chaslang, Oct 21, 2013
    #8
  9. bricht

    bricht Private E-2

    Just rescanned everything. Still having PC Speed Maximizer pop up at every reboot. Mozilla Firefox kept getting infected so I've deleted it and am only using IE. Log files are attached.
     

    Attached Files:

    bricht, Oct 22, 2013
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why did some one just install that Reimage program showing in the Hitman Pro log. Nothing should be change on this PC except for what we request once the cleaning process is 100% finished.

    Uninstalling Firefox is not good enough. The problems will return unless the folders for it are removed too and I will delete them below.

    You appear to be quite a junk collector. You need to start being alot more careful on what you are downloading and installing.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [Utility Chest Search Scope Monitor] "C:\PROGRA~2\UTILIT~2\bar\1.bin\49srchmn.exe" /m=2 /w /h
    O4 - HKLM\..\Run: [UtilityChest_49 Browser Plugin Loader] C:\PROGRA~2\UTILIT~2\bar\1.bin\49brmon.exe
    O4 - HKCU\..\Run: [PC Speed Maximizer] C:\Program Files (x86)\PC Speed Maximizer\SPMLauncher.exe
    O4 - HKCU\..\Run: [Apps Hat] C:\Users\User\AppData\Local\WebPlayer\AppsHat\WebPlayer.exe
    O4 - HKCU\..\Run: [FLV Player] C:\Users\User\AppData\Local\WebPlayer\FLV Player\WebPlayer.exe
    O4 - Startup: MyPC Backup.lnk = C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
    O20 - AppInit_DLLs: c:\progra~3\wincert\win32c~1.dll
    O23 - Service: Computer Backup (MyPC Backup) (BackupStack) - Just Develop It - C:\Program Files (x86)\MyPC Backup\BackupStack.exe

    After clicking Fix, exit HJT.

    Now uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    AVG SafeGuard toolbar
    DriverUpdate
    FlvPlayer
    Iminent
    PC Speed Maximizer v3.2
    QuickShare
    Qwiklinx
    Search Protect
    TelevisionFanatic Firefox Toolbar
    TelevisionFanatic Internet Explorer Toolbar
    Utility Chest Firefox Toolbar
    Utility Chest Internet Explorer Toolbar




    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Services
MyPC Backup
BackupStack
 
:Files
C:\Users\User\AppData\Local\WebPlayer\AppsHat\WebPlayer.exe
C:\Users\User\AppData\Local\WebPlayer\FLV Player\WebPlayer.exe
C:\Users\User\AppData\Local\WebPlayer
C:\PROGRA~2\UTILIT~2
C:\Users\User\AppData\Roaming\Mozilla\Firefox
C:\Program Files (x86)\Mozilla Firefox
C:\Windows\tasks\DriverUpdate Startup.job
C:\Windows\tasks\RegTask.job
C:\Users\User\AppData\Local\Temp\ReimagePackage.exe
C:\Windows\Prefetch\REIMAGEREPAIR.EXE-33174D3E.pf
C:\Windows\Prefetch\REIMAGEREPAIR.EXE-33174D3E.pf
C:\Windows\Prefetch\REGSVR32.EXE-8461DBEE.pf
C:\Users\User\AppData\Local\Temp\~nsu.tmp\Au_.exe
C:\ProgramData\Babylon
C:\ProgramData\BitGuard\ (SpeedUpMyPC)
C:\ProgramData\BrowserProtect
C:\ProgramData\Browser Manager
C:\ProgramData\ConduitC:\ProgramData\Iminent
C:\ProgramData\ParetoLogic
C:\ProgramData\PC Optimizer Pro
C:\ProgramData\PCFixSpeed
C:\ProgramData\Wincert
C:\Program Files (x86)\KeyBar_1.8
C:\Program Files (x86)\OtShot
C:\Users\User\AppData\Local\Conduit
C:\Users\User\AppData\Local\Wajam
C:\Users\User\AppData\LocalLow\Conduit
C:\Users\User\AppData\LocalLow\Delta\ (Delta Search)
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DealPly
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BrowserSafeguard
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Pro
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlvPlayer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Optimizer Pro
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Maximizer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RebateInformer
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
C:\Users\User\AppData\Roaming\Uniblue
C:\Program Files (x86)\Conduit
C:\Program Files (x86)\Desk 365
C:\Program Files (x86)\Driver Pro
C:\Program Files (x86)\DriverUpdate
C:\Program Files (x86)\FlvPlayer
C:\Program Files (x86)\Iminent
C:\Program Files (x86)\Inbox.com
C:\Program Files (x86)\InternetHelper3.1
C:\Program Files (x86)\KeyBar_1.12
C:\Program Files (x86)\mixidj
C:\Program Files (x86)\MixiDJ_V31
C:\Program Files (x86)\MixiDJ_V44
C:\Program Files (x86)\Movies Toolbar
C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
C:\Program Files (x86)\MyPC Backup
C:\Program Files (x86)\Mysearchdial
C:\Program Files (x86)\Optimizer Pro
C:\Program Files (x86)\PC Performer
C:\Program Files (x86)\PC Speed Maximizer
C:\Program Files (x86)\Playbryte
C:\Program Files (x86)\PricePeep
C:\Program Files (x86)\Qwiklinx
C:\Program Files (x86)\SaveValet
C:\Program Files (x86)\SearchProtect
C:\Program Files (x86)\Speed Analysis 2
C:\Program Files (x86)\SpeedItup Free
C:\Program Files (x86)\SweetPacks
C:\Program Files (x86)\SweetPacks_A1
C:\Program Files (x86)\SweetPacks_A2
C:\Program Files (x86)\Uniblue
C:\Program Files (x86)\UtilityChest_49
C:\Program Files (x86)\Vafmusic6
C:\Users\User\AppData\Local\Temp\*.*
 
:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
"ShowSearchSuggestionsInAddressGlobal"=dword:00000001
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0D36EB03-0905-42E3-AFB5-6F1FBE6AA79E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{53C08D24-8193-4579-A821-66A6819D1A27}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\s]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Datamngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\deskSvc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\hdcode]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\desksvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\Application\desksvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\desksvc]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\Smartbar]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\BabSolution]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Conduit]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Smartbar]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E197433B-1E97-4F54-A435-6F903EBCA15B}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Speed Maximizer"=-
"Apps Hat"=-
"FLV Player"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Utility Chest Search Scope Monitor"=-
"UtilityChest_49 Browser Plugin Loader"=-
"vProt"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"Utility Chest Search Scope Monitor"=-
"UtilityChest_49 Browser Plugin Loader"=-
"vProt"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
:Commands
[purity]
[EmptyTemp]
[start explorer]
 
 

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.




    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).




    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Oct 25, 2013
    chaslang, Oct 24, 2013
    #10
  11. bricht

    bricht Private E-2

    When I tried to run RogueKiller, a window popped up saying I needed to update driver. I got suspicious thinking since it didn't ask that the previous day when I ran it, maybe it was malware...I looked up what I thought was the company that made it and was told it was safe (somewhere???). Then I saw that company had both RogueKiller.exe and RogueKillerX64.exe so I deleted the old version on the pc. Then I tried to download the RKx64 file, but the download button downloaded ReImage instead. Anyway, sorry about that. Like father, like daughter. You don't miss a thing!

    Okay, I just right-clicked MGtools and ran as Administrator, but it didn't give me the option to "do a system scan only". It ran the whole thing. I stopped there. I don't know if you want me to complete the rest of your instructions or ...?
     
    Last edited by a moderator: Oct 24, 2013
    bricht, Oct 24, 2013
    #11
  12. bricht

    bricht Private E-2

    Nevermind my previous post. I followed your instructions. After rebooting, a window popped up saying IE needed to download the following toolbars, but I don't see them after running MGlogs:
    Name Ask.com
    Status
    Listing order 1
    Search suggestions Enabled
    Top result Not Available

    Name Bing
    Status Default
    Listing order 2
    Search suggestions Enabled
    Top result Enabled

    Name Norton Safe Search
    Status
    Listing order 3
    Search suggestions Enabled
    Top result Not Available

    PC seems to be running fine! If I don't have more to do, thank you very much for your help!
     

    Attached Files:

    Last edited by a moderator: Oct 24, 2013
    bricht, Oct 24, 2013
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 24, 2013
    #13
  14. bricht

    bricht Private E-2

    Argh! Tried to download Defogger and ended up with Conduit! Sh*t! Help?
     
    bricht, Oct 24, 2013
    #14
  15. bricht

    bricht Private E-2

    One more time...ran same tests. Logs are attached. :(
     

    Attached Files:

    bricht, Oct 24, 2013
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like you went surfing in the same places again and reinstalled the same garbage plus a little more. This has nothing to do with Defogger and you did not need it anyway since you never ran it during the first steps of the READ & RUN and also you do not have disk emulation software installed.

    Please do not save programs we ask you to download here>>> C:\Users\User\Desktop\geek programs\MGtools.exe
    Please save where requested.

    Uninstall PC Speed Maximizer v3.2 again

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:49164;https=127.0.0.1:49164
    R3 - URLSearchHook: KeyBar 1.8 Toolbar - {9ed31f84-c8b3-4926-b950-dff74047ff79} - C:\Program Files (x86)\KeyBar_1.8\prxtbKeyB.dll
    O2 - BHO: KeyBar 1.8 - {9ed31f84-c8b3-4926-b950-dff74047ff79} - C:\Program Files (x86)\KeyBar_1.8\prxtbKeyB.dll
    O2 - BHO: Norton Identity Protection - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - (no file)
    O3 - Toolbar: KeyBar 1.8 Toolbar - {9ed31f84-c8b3-4926-b950-dff74047ff79} - C:\Program Files (x86)\KeyBar_1.8\prxtbKeyB.dll
    O4 - HKLM\..\Run: [OtShot] C:\Program Files (x86)\OtShot\otshot.exe -minimize

    After clicking Fix, exit HJT.

    Now run the same fix with OTM as I gave you back in message # 10 and keep going thru to the end of that fix and attach the new logs.
     
    Last edited: Oct 25, 2013
    chaslang, Oct 25, 2013
    #16
  17. bricht

    bricht Private E-2

    I'm really sorry, but the only time I leave this site is when I click on a link to download a program. There seems to be a lot of malware download buttons along with the real download button. It's hard to figure out which one is the correct one. Honest, I'm not surfing! I use my laptop for that.

    After saying that, I screwed up with MGtools\analyze and did a complete scan, then fixed all. Is that going to cause a problem? PC seems to be working good. Maybe messed up the logs though?

    I didn't run JRT like you said the first time. Should I?
     

    Attached Files:

    bricht, Oct 25, 2013
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    YES! Big problem. See my instructions. I did not ask you to "Fix All". I gave you specific things to fix. You removed things you need. You need to run analyse.exe now and restore from the last backup all the things you should not have removed. You removed the below items which were not in my list of things to fix


    Yes. My instructions said
    This includes OTM, JRT and GetLogs.bat
     
    Last edited: Oct 25, 2013
    chaslang, Oct 25, 2013
    #18
  19. bricht

    bricht Private E-2

    Okay. How do they look?
     

    Attached Files:

    bricht, Oct 25, 2013
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good, Just uninstall Iminent. How are things working?

    Run Malwarebytes and empty the quarantine. You have a lot of stuff in there.
     
    chaslang, Oct 25, 2013
    #20
  21. bricht

    bricht Private E-2

    Everything running great. Still have defogger on my desktop so can hopefully change the setting w/o trouble. [fingers crossed]

    Follow the same finish procedure as before? I'd love to give this back to dad today and leave you in peace.
     
    bricht, Oct 25, 2013
    #21
  22. bricht

    bricht Private E-2

    Don't see Iminent. Will run Malwarebytes and empty quarantine.
     
    bricht, Oct 25, 2013
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then run the below registry patch to remove it because it is there.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    After emptying the MBAM Quarantine. Delete the C:\_OTM folder and then empty your Recycle bin. Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below log:
    • C:\MGlogs.zip
     
    chaslang, Oct 25, 2013
    #23
  24. bricht

    bricht Private E-2

    I did receive a success message. I deleted the C:\_OTM folder from the desktop, but the Recycle bin remained empty (I emptied it earlier). Don't know where it went. Attached is the MGlogs log.
     

    Attached Files:

    bricht, Oct 25, 2013
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay back in message # 10 ( before your problems came back and I think it may have been a System Restore ) I had asked you to uninstall the below which are back now. See if they can be uninstalled:


    TelevisionFanatic Firefox Toolbar
    TelevisionFanatic Internet Explorer Toolbar
    Utility Chest Firefox Toolbar
    Utility Chest Internet Explorer Toolbar

    If they will not uninstall, I will give you another registry patch to remove them.


    Also delete the below folder:
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot

    Delete the below file:
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot.lnk
     
    chaslang, Oct 25, 2013
    #25
  26. bricht

    bricht Private E-2

    OtShot file and folder deleted. The 4 programs won't uninstall; "missing specified module".
     
    bricht, Oct 25, 2013
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we will use another registry patch. Overwrite the previous one.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now disable System Restore. Then reboot. After reboot enable System Restore. See the below if you do not know how to do this.

    http://www.howtogeek.com/howto/3187/disable-system-restore-in-windows-7/


    How are things working?
     
    Last edited: Oct 26, 2013
    chaslang, Oct 25, 2013
    #27
  28. bricht

    bricht Private E-2

    I did get the success message. The 4 programs are uninstalled. On reboot, a RUN DLL error message pops up: C:\Users\User\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll

    specified module not found.

    Otherwise seems to be working great.:)
     
    bricht, Oct 25, 2013
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you successfully disable and reenable System Restore?

    The below will remove the DLL error you see:


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKCU\..\Run: [BackgroundContainer] "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\User\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun

    After clicking Fix, exit HJT.
     
    chaslang, Oct 26, 2013
    #29
  30. bricht

    bricht Private E-2

    I did disable system restore previously and reenable it. I followed your last instructions, first without disabling system restore (fixed the dll line), and then after disabling it (the dll line wasn't there this 2nd time), but both times I get the same error message when I reboot.
     
    bricht, Oct 26, 2013
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's check the logs.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below log:
    • C:\MGlogs.zip
     
    chaslang, Oct 26, 2013
    #31
  32. bricht

    bricht Private E-2

    I ran C:\MGtools\GetLogs.bat twice. The first time I left Norton Antivirus on and it said it blocked Trojan.ADH. The second time, I disabled Norton; I attached MGlogs.zip of the second run.
     

    Attached Files:

    bricht, Oct 26, 2013
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There are no signs of the BackgroundContainer.dll file trying to be loaded anymore. Are you sure that you are still having that exact error mssage anymore. I do see another issue though with a service from that Utility Chest still trying to load which we will fix.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O23 - Service: Utility ChestService (UtilityChest_49Service) - Unknown owner - C:\PROGRA~2\UTILIT~2\bar\1.bin\49barsvc.exe (file missing)

    After clicking Fix, exit HJT.

    Now right click on analyse.exe and select Run As Administrator again. It the above entry truly gone now or did it return?
     
    chaslang, Oct 27, 2013
    #33
  34. bricht

    bricht Private E-2

    Still get the BackgroundContainer.dll file error message. Also, the UtilityChest did not go away. Was it necessary to reboot?
     
    bricht, Oct 27, 2013
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, let's try the below. Shut down Norton before running.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Services
Utility ChestService
UtilityChest_49Service

:Files
C:\PROGRA~2\UTILIT~2

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"TelevisionFanatic Home Page Guard 64 bit"=-
"Utility Chest Home Page Guard 64 bit"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 27, 2013
    #35
  36. bricht

    bricht Private E-2

    Here are the logs.
     

    Attached Files:

    bricht, Oct 27, 2013
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the UtilityChest service was removed but some registry entries were not fixed. Let's try another registry patch.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 28, 2013
    #37
  38. bricht

    bricht Private E-2

    Received the success message for adding to the registry. Still getting this error message after rebooting:

    There was a problem starting C:\Users\User\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll

    Otherwise, it's working great.
     

    Attached Files:

    bricht, Oct 28, 2013
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the last fix remove a couple more issues but there must be some additional items that are hiding from view so let's run a couple more scans to se if we can find them.


    Also, please download SystemLook_x64 from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
Conduit
BackgroundContainer
Home Page Guard
PC Speed Maximizer
MyPC Backup
UtilityChest
:filefind
Conduit
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.

    Now run a new scan ( only scan - do not fix anything ) with RogueKiller and attach the new log.

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
      Code:
      activex
netsvcs
drives
    • Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
    chaslang, Oct 29, 2013
    #39
  40. bricht

    bricht Private E-2

    The new logs...
     

    Attached Files:

    bricht, Oct 30, 2013
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Seem JRT missed a ton of stuff previously. And there's a ton more junk hiding that needs to be removed. Let's run a few more fixes. I will have to break this up into partial fixes over a few iterations since there is so much. The fix would be way to long in one message. Also running some other tools may help to reduce the manual work.





    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • You will be prompted to restart your computer. A text file will open after the restart.
    • You can just close it. Attach the below log file:
      • C:\AdwCleaner[S1].txt
    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Download_Manager_and_Options
    Iminent
    MyPC Backup



    Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.
    Code:
    :OTL
DRV:[B]64bit:[/B] - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
IE:[B]64bit:[/B] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = [URL]http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=1131&systemid=406&v=u9396-122&apn_uid=4524818548304544&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms[/URL]}
FF - HKLM\Software\MozillaPlugins\@TelevisionFanatic.com/Plugin: C:\Program Files (x86)\TelevisionFanatic\bar\1.bin\NP64Stub.dll File not found
FF - HKLM\Software\MozillaPlugins\@UtilityChest_49.com/Plugin: C:\Program Files (x86)\UtilityChest_49\bar\1.bin\NP49Stub.dll File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\64ffxtbr@TelevisionFanatic.com: C:\Program Files (x86)\TelevisionFanatic\bar\1.bin [2013/10/24 07:37:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\49ffxtbr@UtilityChest_49.com: C:\Program Files (x86)\UtilityChest_49\bar\1.bin
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\extension@FastFreeConverter.com: C:\Program Files (x86)\Fast Free Converter\FastFreeConverter\extension@FastFreeConverter.com
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linksicle@linksicle.com: C:\Program Files (x86)\Mozilla Firefox\extensions\linksicle@linksicle.com
CHR - default_search_provider: AVG Secure Search (Enabled)
CHR - default_search_provider: search_url = [URL]http://mysearch.avg.com/search?cid={3371C62B-0577-48BC-AA89-4AA1180D9DCB}&mid=015ff27a111c47d393b8d16c220624e8-4e34e748502e6cd91d75ec992d5531aeb56f8e7d&lang=en&ds=ts017&coid=avgtbdists&pr=sa&d=2013-10-22[/URL] 05:20:01&v=17.0.0.12&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
CHR - default_search_provider: suggest_url = [URL]http://toolbar.avg.com/acp?q={searchTerms}&o=1[/URL]
CHR - homepage: [URL]http://search.conduit.com/?ctid=CT3286042&SearchSource=48&CUI=UN42915552931772201&UM[/URL]=
CHR - Extension: KeyBar 1.8 = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb\10.21.1.7_0\
O2:[B]64bit:[/B] - BHO: (LyricsParty-1) - {11111111-1111-1111-1111-110411181152} - C:\Program Files (x86)\LyricsParty-1\LyricsParty-1-bho64.dll File not found
O3 - HKU\S-1-5-21-43422388-2980389715-242068834-1000\..\Toolbar\WebBrowser: (no name) - {07CBF788-1359-421B-A4E3-5A8D041B90A3} - No CLSID value found.
O3 - HKU\S-1-5-21-43422388-2980389715-242068834-1000\..\Toolbar\WebBrowser: (no name) - {7E8A1050-CF67-4575-92DF-DCC60E7D952D} - No CLSID value found.
O3 - HKU\S-1-5-21-43422388-2980389715-242068834-1000\..\Toolbar\WebBrowser: (no name) - {90A1B331-C2B4-4933-9F63-BA7B84D60D58} - No CLSID value found.
O3 - HKU\S-1-5-21-43422388-2980389715-242068834-1000\..\Toolbar\WebBrowser: (no name) - {9ED31F84-C8B3-4926-B950-DFF74047FF79} - No CLSID value found.
O3 - HKU\S-1-5-21-43422388-2980389715-242068834-1000\..\Toolbar\WebBrowser: (Utility Chest) - {CF67755F-9265-449C-87CF-B945519E073B} - C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49bar.dll File not found
O20:[B]64bit:[/B] - AppInit_DLLs: (C:\PROGRA~3\Wincert\WIN64C~1.DLL) -  File not found
O20:[B]64bit:[/B] - AppInit_DLLs: (C:\PROGRA~2\MOVIES~1\Datamngr\x64\mgrldr.dll) -  File not found
O36 - AppCertDlls: x64 - (C:\Program Files (x86)\Movies Toolbar\Datamngr\x64\apcrtldr.dll) -  File not found
O36 - AppCertDlls: x86 - (C:\Program Files (x86)\Movies Toolbar\Datamngr\apcrtldr.dll) -  File not found
[2013/10/04 06:50:27 | 000,000,000 | ---D | C] -- C:\Program Files\PC Optimizer Pro
[2013/10/02 15:42:28 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\PC Speed Maximizer
[2013/10/01 16:26:15 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\ilividmoviestoolbarha
[2013/10/01 11:39:24 | 000,000,000 | ---D | C] -- C:\ProgramData\BitGuard
@Alternate Data Stream - 481 bytes -> C:\Users\User\Documents\news item_.eml:OECustomProperty
@Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:D346F792
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:AD022376
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:373E1720
:Files
C:\ProgramData\BitGuard
C:\Program Files (x86)\Download Manager and Options
C:\Program Files (x86)\TelevisionFanatic
C:\Users\User\AppData\Local\Conduit
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Download_Manager_and_Options]
[-HKEY_CURRENT_USER\Software\Conduit]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\Conduit]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\ConduitSearchScopes]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\SmartBar]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\TrustWorthy]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\TrustWorthy]
[HKEY_CURRENT_USER\Software\AppDataLow\Software\BackgroundContainer\LogicFileManager]
"LogicFilePath"=-
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\BackgroundContainer]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\InternetHelper3.1]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\KeyBar_1.8]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\MixiDJ_V44]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\SweetPacks]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\SweetPacks_A2]
[-HKEY_CURRENT_USER\Software\InternetHelper3.1\toolbar]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\conduitapps.com]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\facebook.conduitapps.com]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\search.conduit.com]
[-HKEY_CURRENT_USER\Software\SweetPacks\toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\InternetHelper3.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KeyBar_1.8]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{27C0F977-6BD9-4895-8F1E-8ACB450538EF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{693A06FE-512B-4754-A429-6B081A0DD51E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7E3DFF78-B636-43D8-8B19-DBC7E891A699}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EBFFB978-61BF-4A99-A832-677C5895552E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA054CCF-3A31-4C78-A5C1-1D1A426B152A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MixiDJ_V44]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SweetPacks_A2]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WhiteSmoke_New]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\BackgroundContainer]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\InternetHelper3.1]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\KeyBar_1.8]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\MixiDJ_V44]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\SweetPacks]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\SweetPacks_A2]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Microsoft\Internet Explorer\DOMStorage\app.mam.conduit.com]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Microsoft\Internet Explorer\DOMStorage\conduitapps.com]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Microsoft\Internet Explorer\DOMStorage\facebook.conduitapps.com]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Microsoft\Internet Explorer\DOMStorage\search.conduit.com]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\SweetPacks\toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D268409-D9C9-409E-88F4-ABDF8CE1C767}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BackgroundContainer Startup Task]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\BackgroundContainer]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\BackgroundContainer\LogicFileManager]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\PC Speed Maximizer\PCSpeedMaximizer.exe"=-
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\User\Downloads\PCSpeedMaximizer.exe"=-
[HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\PC Speed Maximizer\PCSpeedMaximizer.exe"=-
[HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\User\Downloads\PCSpeedMaximizer.exe"=-
[HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\User\Downloads\PCSpeedMaximizer.exe"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\UtilityChest_49]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{103E3C9A-E8AE-4B19-A339-01FE9439763E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{24486CE9-7BC2-4516-B743-39FFDD4F861B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{326C4F48-FE3B-4E54-9118-9B6C3B6C9B1E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{39D884BB-2881-4F3A-B9B9-2D3AF4C2C191}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{59E5BDB9-126F-4575-901E-D32132A19B94}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5CF866F0-10A3-4ED4-9BE3-668F2F148E2F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{618B2F0C-A1AF-4D1D-9354-CF0C42AF5BCB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8EFEE482-37BC-4F3D-83E6-CB5BBE077E43}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CE1482C8-E8FD-4277-9A4F-094D712F6B60}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EEFDBFA7-0F18-4216-8F90-6B6F71D6AB83}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F12BA68C-976E-4567-BA3B-629DFCEBC5FE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F66F6A81-E727-4774-B461-8A5CB7F7DE07}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.DynamicBarButton]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.DynamicBarButton.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.FeedManager]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.FeedManager.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.HTMLMenu]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.HTMLMenu.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.HTMLPanel]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.HTMLPanel.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.MultipleButton]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.MultipleButton.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.PseudoTransparentPlugin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.PseudoTransparentPlugin.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.Radio]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.Radio.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UtilityChest_49.RadioSettings]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\AppDataLow\Software\UtilityChest_49]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\UtilityChest_49]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000\Software\Classes\Wow6432Node\CLSID\{7a55cbb2-2b2e-4a41-9de1-6ac5d2c2be0a}\InprocServer32]
[-HKEY_USERS\S-1-5-21-43422388-2980389715-242068834-1000_Classes\Wow6432Node\CLSID\{7a55cbb2-2b2e-4a41-9de1-6ac5d2c2be0a}\InprocServer32]
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
 

[REBOOT]
    • Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now rerun the same scan as previously with SystemLook.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from AdwCleaner
    • the log from OTL
    • the log SystemLook
    • C:\MGlogs.zip
    As noted above, we will still have more cleaning to do!
     
    chaslang, Oct 31, 2013
    #41
  42. bricht

    bricht Private E-2

    I downloaded AdwCleaner, however your instructions didn't match exactly what I was seeing. I ran the program and attached the report before cleaning anything. Should I clean all the files, folders, shortcuts, registry, IE, Firefox and Chrome items? Don't want to screw anything up so just thought I'd verify first. Will wait to run other programs til I hear back from you.

    Also, with Windows 7, I ran AdwCleaner using 'run as administrator' option as I have all the other times.
     

    Attached Files:

    bricht, Oct 31, 2013
    #42
  43. bricht

    bricht Private E-2

    Okay, I read up on AdwCleaner and since I can restore any of the stuff I cleaned out, I decided to go ahead and finish all your instructions. Attached are the new logs.
    It won't let me attach OTL.txt; says it was attached previously. I'll rename as OTL2.txt and try attaching it...Nope, that didn't work either.
     

    Attached Files:

    bricht, Oct 31, 2013
    #43
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to attach the log from the fix. Not the log from the original scan which you already attached. In my instructions for running the OTL fix the below was stated
    Are you still getting the error message at boot up?

    While AdwCleaner and the OTL fix likely remove a bunch of what I was seeing, the new SystemLook log shows a lot remains.
     
    chaslang, Oct 31, 2013
    #44
  45. bricht

    bricht Private E-2

    So sorry. Will do so when I get off work.
     
    bricht, Oct 31, 2013
    #45
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem. But do you remember if you were still getting the error message after the last fix?
     
    chaslang, Oct 31, 2013
    #46
  47. bricht

    bricht Private E-2

    Yes, the error message was still there. :(
     
    bricht, Oct 31, 2013
    #47
  48. bricht

    bricht Private E-2

    Here's the OTL log.
     

    Attached Files:

    bricht, Oct 31, 2013
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I can see now from the OTM log that it failed to remove the registry keys I was try to remove. Do you know how to use the Windows Registry Editor?
     
    chaslang, Nov 1, 2013
    #49
  50. bricht

    bricht Private E-2

    Yes, I can manage.
     
    bricht, Nov 2, 2013
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds