Amongst others, ClearThink removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by p45cal, Oct 10, 2014.

  1. p45cal

    p45cal Private E-2

    Having gone through http://forums.majorgeeks.com/showthread.php?t=139681 to having completed step 3, the process seemed to be without problems. I don't yet know for sure whether I'm still having problems. Anyway, I attach the log files to see whether youy advise any other action I should take.
    Thank you!
     

    Attached Files:

    p45cal, Oct 10, 2014
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to attach the requested log from Malwarebytes.
    FYI: The Pokki software you installed comes with junkware and may even be the root cause of some of your problems!
    I recommend not using this unless you really cannot live without it.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [Internet Helper Anti-phishing] "C:\ProgramData\Internet Helper Anti-phishing\internetHelper_antiphishing.exe"
    O4 - HKCU\..\Run: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - (no file)

    After clicking Fix, exit HJT.

    Now uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Optimizer Pro v3.2
    WSE_Lasaoren

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Files
C:\ProgramData\Internet Helper Anti-phishing
C:\Program Files (x86)\ClearThink
C:\Windows\Prefetch\UPDATECLEARTHINK.EXE-CE9BF719.pf
C:\Program Files (x86)\Optimizer Pro
C:\Windows\Prefetch\OPTPROSETUP.TMP-7DA23B8D.pf
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2
C:\Users\Dominique\AppData\Roaming\Optimizer Pro
C:\Users\Dominique\AppData\Roaming\systweak
C:\Users\Dominique\Documents\Optimizer Pro
C:\WINDOWS\system32\Tasks\Optimizer Pro Schedule
C:\Users\Dominique\AppData\Local\Temp\*.*

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
[-HKEY_USERS\S-1-5-21-3073972351-614501796-1995160808-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{05660A04-00F1-3A04-AB3B-BC1074B84D67}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{37AC0F3B-749F-3B22-811B-5A019EED2E85}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4392A6CC-7940-310E-8E16-799A8D93A438}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{66DF7821-ED6D-3534-893C-0E89E74B0F91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{755CAFCC-F016-3B06-8F22-945EAA3AD10D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{76552F88-640C-314D-82B6-0D8A740907F7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{903F9872-E87F-3B74-83B0-DBE10073B29D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9558EEB4-CDA6-3778-B53B-98076F0A1E90}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{B25AA9BA-FD52-3E5E-BFE3-9B106779DA6E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C852CF9F-37DC-35AC-926A-7E6CFFF7C501}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C9777796-4378-3C90-B52D-7238FFFC2A5C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DB1BC8B2-FDBF-30E7-BE1C-AFF9160059E6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{F3D5729C-7DEB-3850-A026-D0E323ECFEF5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FEC70973-CB8B-351C-8047-CAE1274CE249}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimizer Pro Schedule]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Systweak]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-3073972351-614501796-1995160808-1001\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-3073972351-614501796-1995160808-1001\Software\Optimizer Pro]
[-HKEY_USERS\S-1-5-21-3073972351-614501796-1995160808-1001\Software\systweak]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"Internet Helper Anti-phishing"=-
[HKEY_USERS\S-1-5-21-3073972351-614501796-1995160808-1001\Software\Microsoft\Windows\CurrentVersion\run]
"Optimizer Pro"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 10, 2014
    #2
  3. p45cal

    p45cal Private E-2

    Hi,
    dr.moriarty's initial response seems to have been deleted - no worries, I think I understand why.
    I did forget to include the Malwarebytes log, when I get back to the machine in question (tomorrow afternoon) I will run through the procedure you advise above and include both Malwarebytes logs.

    I think the Pokki software may have come with the Lenovo machine and may already have been installed; I don't think the machine's owner and user, my brother, will object to it being removed.
     
    p45cal, Oct 12, 2014
    #3
  4. p45cal

    p45cal Private E-2

    I can't find the Malwarebytes log! - I'm certain I saved it. (Could it be McAfee scanning my thumb drive which I'm using to transfer files and logs as the browser on the infected machine was unusable? It deleted MGTools when I let it do a scan, I didn't notice whether it had deleted anything else)

    While using analyser.exe, the line:
    O4 - HKCU\..\Run: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe
    wasn't there to fix.

    Uninstalling:
    Optimizer Pro v3.2 wasn't there to uninstall.
    WSE_Lasaoren wouldn't let me uninstall (saying there was an error in the process).

    The rest went through without issue.

    See attached logs.

    Should I try and uninstall WSE_Lasaoren again? It's still in my Uninstall or change a program list in Control Panel?

    I'd really like to go through the whole process again, as I wasn't able to supply the original Malwarebytes log - or do you advise something else?

    Thanks,
    p45cal
     

    Attached Files:

    p45cal, Oct 13, 2014
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes protection software can frequently get in the way. And yes some do have a habit of deleting programs like MGtools and many others we use to manually remove malware that the protection software totally misses or cannot remove.

    See if Revo Uninstaller can find any more traces of it to remove.

    http://www.majorgeeks.com/files/details/revo_uninstaller.html


    Shouldn't be necessary unless you are still having problems. So are you having any problems?
     
    chaslang, Oct 18, 2014
    #5
  6. p45cal

    p45cal Private E-2

    Thanks for responding, chaslang.

    RevoUninstaller seems to have got rid of WSE_Laorsen.
    Problems seem to have largely gone except for some pop-up ads; on this very page, for example, the words Malware Removal are double-underlined and in green and when hovered over cause a pop-up with an advert. There is an i with a circle around it in the top left corner of this pop-up, which when clicked opens a new browser tab at www.amobee.com .
    There is something called Buzzdock in my Uninstall or change a program dialogue box.

    As an aside, this is a Lenovo machine with a bunch of programmes/applications, all prefixed with 'Lenovo':
    App Shop
    Assistant
    BlackSilk USB keyboard driver
    Dependency package
    Power2Go
    PowerDVD10
    Rescue System
    Solution Center

    and also (apparently) by Lenovo:
    FamilySafetyGuide
    LVT
    Driver and Application Installation

    all of which I've a mind to clean off the system since Lenovo's junkware seems to have been partly responsible for the introduction of these problems. Do you think I'll be able to do this without losing serious functionality on the Windows 8.1 machine?
     
    p45cal, Oct 18, 2014
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The mouse over ads are quite normal. ;)

    You can ask about the uninstallation of those programs in the software forum.

    Ready for final steps? :)
     
    Kestrel13!, Oct 18, 2014
    #7
  8. p45cal

    p45cal Private E-2

    Yes, I think so… thank you.
    I asked windows to uninstall Buzzdock, it said there was an error and did I wnat to remove the entry from the list of installed apps, I said 'Yes'.
    I haven't yet looked into what I can remove of the Lenovo stuff.
     
    p45cal, Oct 19, 2014
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 19, 2014
    #9
  10. p45cal

    p45cal Private E-2

    Internet Anti-phishing helper is Back!!
    Aaaaggghhh.

    Should I start all over again?
     
    p45cal, Oct 20, 2014
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You got reinfected already?

    Please begin a new thread in Malware Removal. Thanks.
     
    Kestrel13!, Oct 20, 2014
    #11
  12. p45cal

    p45cal Private E-2

    Will do, thanks.
     
    p45cal, Oct 20, 2014
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds