Alog File Check

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by theremotedr, Aug 5, 2017.

  1. theremotedr

    theremotedr Master Sergeant

    I am working my way through the scan tools etc.
    Please can you supply a link for DISABLE UAC IN READ AND RUN ME INSTRUCTIONS.

    Thanks
     
    theremotedr, Aug 5, 2017
    #1
  2. theremotedr

    theremotedr Master Sergeant

    I have now finished running the scan tools as advised.
    Looking in some reports i see its found a few items that i do use.
    HM pro EFFI-172, HANDY BABY, JMD, ALARM CLOCK,

    I have removed jZip from ADD & REMOVE PROGRAMMES & trying 7 zip as advised on another post here.
    I DO NOT use Yahoo

    Please advise.
    Many Thanks
     

    Attached Files:

    theremotedr, Aug 5, 2017
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You haven't followed the advice given in my posts.(See msgs #14 & 25)
     
    dr.moriarty, Aug 5, 2017
    #3
  4. theremotedr

    theremotedr Master Sergeant

    Hi
    I a man facing the same issue as last time.
    It get say 1/4 the way it seconds then sits there idle. Last time I did this it sat there for 5 hours and never moved at all.

    What do you advise please.
     
    theremotedr, Aug 5, 2017
    #4
  5. theremotedr

    theremotedr Master Sergeant

    I have followed the steps above but dont know how to progress with this ADW just sitting there.

    What can or should i do.
    There has been no movement of the progress bar since say 2 hours ago. Is this normal ????
     
    theremotedr, Aug 5, 2017
    #5
  6. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Terminate the AdwCleaner program and await further instructions...
     
    dr.moriarty, Aug 5, 2017
    #6
  7. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Uninstall Yahoo! Toolbar using GeekUninstaller
    GeekUninstaller 1.4.4.117

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
    Code:
    :Processes
killallprocesses
:Files
C:\ProgramData\Yahoo! Companion
C:\ProgramData\Application Data\Yahoo! Companion
C:\Users\All Users\Yahoo! Companion
C:\Program Files\jZip
C:\Users\Ian\AppData\Local\Temp\jZip
C:\Program Files\Yahoo!\Companion
C:\Users\Ian\AppData\Roaming\Yahoo!\Companion
C:\Users\Ian\AppData\Roaming\Wise Euask
C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
C:\Program Files\Yahoo!\Common\unyt.exe
C:\ProgramData\simplitec
C:\Users\Ian\AppData\Roaming\simplitec
:Reg
[-HKLM\SOFTWARE\Classes\AppID\YCAPlugin.DLL\]
[-HKLM\SOFTWARE\Classes\AppID\YMERemote.DLL\]
[-HKLM\SOFTWARE\Classes\AppID\YPUBC.DLL\]
[-HKLM\SOFTWARE\Classes\AppID\yt.DLL\]
[-HKLM\SOFTWARE\Classes\AppID\YTabBar.DLL\]
[-HKLM\SOFTWARE\Classes\AppID\YTBM.DLL\]
[-HKLM\SOFTWARE\Classes\AppID\YTMsgr.DLL\]
[-HKLM\SOFTWARE\Classes\AppID\{07CDAAD9-1226-4C6D-B774-C00E7B323484}\]
[-HKLM\SOFTWARE\Classes\AppID\{1CAE874F-F5C7-4BCC-BA46-9AD26DF35B93}\]
[-HKLM\SOFTWARE\Classes\AppID\{35860EFB-1589-4F32-A618-99E847A502B2}\]
[-HKLM\SOFTWARE\Classes\AppID\{41D7CEE0-D91F-498C-BC88-4A6BEE46C2BC}\]
[-HKLM\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}\]
[-HKLM\SOFTWARE\Classes\AppID\{9EDCCD11-960D-49AE-B523-C6B5AB7E1345}\]
[-HKLM\SOFTWARE\Classes\AppID\{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}\]
[-HKLM\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}\]
[-HKLM\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\]
[-HKLM\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\]
[-HKLM\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\]
[-HKLM\SOFTWARE\Classes\CLSID\{B7A0E898-93E5-43f4-B99A-6C70B303699C}\]
[-HKLM\SOFTWARE\Classes\CLSID\{C60CCE95-6AF9-4E74-B66B-3212D19F1D2F}\]
[-HKLM\SOFTWARE\Classes\CLSID\{D40A62D1-8FC0-4F03-90C4-0DE03BE73A41}\]
[-HKLM\SOFTWARE\Classes\CLSID\{DDCED22E-D018-471D-9A5C-A4EA2F21133D}\]
[-HKLM\SOFTWARE\Classes\CLSID\{E1A2D448-6334-45ec-8800-6D7F71DC87FC}\]
[-HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\]
[-HKLM\SOFTWARE\Classes\CLSID\{F51C15D4-3D0A-4DBA-A095-EBCC09F24DA2}\]
[-HKLM\SOFTWARE\Classes\CLSID\{FBE30D66-39A2-4b72-8B43-6D4C335A6F34}\]
[-HKLM\SOFTWARE\Classes\Interface\{11D5E9EA-3117-4389-8E58-742F0975C980}\]
[-HKLM\SOFTWARE\Classes\Interface\{12D3E096-0FDF-42CC-8F44-04944F9C1648}\]
[-HKLM\SOFTWARE\Classes\Interface\{22389F39-2CF4-47C4-B8B2-273BB16BF70C}\]
[-HKLM\SOFTWARE\Classes\Interface\{23E3CEB3-D63A-433E-A5D0-4DB1C501B915}\]
[-HKLM\SOFTWARE\Classes\Interface\{26A3152F-CF87-4C5B-8093-4D4B9EC084EB}\]
[-HKLM\SOFTWARE\Classes\Interface\{2723E96B-905F-4C64-8999-D868A08E6370}\]
[-HKLM\SOFTWARE\Classes\Interface\{2FCB4E7E-E5C7-4D07-BB2C-78DF2DA867AD}\]
[-HKLM\SOFTWARE\Classes\Interface\{3D592FCB-FEFD-43A6-9A4F-BDE2D4607D07}\]
[-HKLM\SOFTWARE\Classes\Interface\{49F018EE-F362-4B5B-8EC8-BCF9246ABF21}\]
[-HKLM\SOFTWARE\Classes\Interface\{67E5E37C-E6B8-4782-877D-E9437C4CD982}\]
[-HKLM\SOFTWARE\Classes\Interface\{686D40BC-FA43-4317-8474-E634E6B487F2}\]
[-HKLM\SOFTWARE\Classes\Interface\{7207E52B-821E-4C05-A8D6-2965B2BE77CF}\]
[-HKLM\SOFTWARE\Classes\Interface\{8233093C-178B-484B-979E-3C6B5B147DBC}\]
[-HKLM\SOFTWARE\Classes\Interface\{863FCF5D-DC39-4DA9-AF32-CB0025990EEE}\]
[-HKLM\SOFTWARE\Classes\Interface\{A310B105-FB7D-4497-A7E8-E046462B012F}\]
[-HKLM\SOFTWARE\Classes\Interface\{B09E015A-4D4E-4F8D-A436-95E19140947D}\]
[-HKLM\SOFTWARE\Classes\Interface\{B1E712C4-03AA-495F-B0F5-0F057E126E2A}\]
[-HKLM\SOFTWARE\Classes\Interface\{D13DC65C-C77B-4986-9078-DEA3D34C71BB}\]
[-HKLM\SOFTWARE\Classes\Interface\{DF522774-8CA0-4B15-A93A-5F61AB95DA1C}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{4A1E52AC-64F2-49E9-BFD7-0806D9494DBB}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{78DB07DF-483E-4829-AB44-ED7952083584}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{8A1AB044-787D-4309-8410-709768E484AB}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{A2C55651-A23E-43CA-B63D-C10B99EFF7E0}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{AD34BE7D-2603-43DD-8D1F-E4431D42C44E}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{B722ED8B-0B38-408E-BB89-260C73BCF3D4}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{B82D18E0-1649-48DE-92D7-AA89BBB5F0AD}\]
[-HKLM\SOFTWARE\Classes\TypeLib\{D2EA97F6-6235-4B2D-B5AA-A4472B9CE557}\]
[-HKLM\SOFTWARE\Classes\Yahoo.AntiSpyPlugin.6\]
[-HKLM\SOFTWARE\Classes\Yahoo.AntiSpyPlugin\]
[-HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin.4\]
[-HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin\]
[-HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1\]
[-HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar\]
[-HKLM\SOFTWARE\Classes\YCAPlugin.CAYASPlugin.1\]
[-HKLM\SOFTWARE\Classes\YCAPlugin.CAYASPlugin\]
[-HKLM\SOFTWARE\Classes\YMERemote.YMECompPlugin.1\]
[-HKLM\SOFTWARE\Classes\YMERemote.YMECompPlugin\]
[-HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl.1\]
[-HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl]\
[-HKLM\SOFTWARE\Classes\YPUBC.DataStore.1\]
[-HKLM\SOFTWARE\Classes\YPUBC.DataStore\]
[-HKLM\SOFTWARE\Classes\YPUBC.PUBHTMLEventHandler.1\]
[-HKLM\SOFTWARE\Classes\YPUBC.PUBHTMLEventHandler\]
[-HKLM\SOFTWARE\Classes\YPUBC.StringList.1\]
[-HKLM\SOFTWARE\Classes\YPUBC.StringList\]
[-HKLM\SOFTWARE\Classes\yt.YTHelper.2\]
[-HKLM\SOFTWARE\Classes\yt.YTHelper\]
[-HKLM\SOFTWARE\Classes\yt.YToolbarBand\]
[-HKLM\SOFTWARE\Classes\YTabBar.YTabBarControl.1\]
[-HKLM\SOFTWARE\Classes\YTabBar.YTabBarControl\]
[-HKLM\SOFTWARE\Classes\YTBM.YTBMButton.1\]
[-HKLM\SOFTWARE\Classes\YTBM.YTBMButton\]
[-HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4efb-9B51-7695ECA05670}\]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion\]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar\]
[-HKLM\SOFTWARE\Yahoo\Companion\]
[-HKU\S-1-5-21-2052246637-699227346-1952638870-1001\Software\AppDataLow\Software\Yahoo\Companion\[
[-HKU\S-1-5-21-2052246637-699227346-1952638870-1001\Software\Yahoo\Companion\]
[-HKU\S-1-5-21-2052246637-699227346-1952638870-1001\Software\Yahoo\YFriendsBar\]
:Commands
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow barand choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. *Just look for the most recent .log file. Upload this log file to your next message.

    Now re-run both HitmanPro and RogueKiller - upload those new logs also.
     
    dr.moriarty, Aug 5, 2017
    #7
  8. theremotedr

    theremotedr Master Sergeant

    Hi,
    I have supplied the 3 log files as requested.

    Thanks for the help with this.
    As mentioned before i do use the following.
    EFFI
    JMD
    SKP 900
    ATOMIC CLOCK
    HANDY BABY
     

    Attached Files:

    theremotedr, Aug 6, 2017
    #8
  9. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Do you use Smart File Advisor? How is the PC running?
     
    dr.moriarty, Aug 6, 2017
    #9
  10. theremotedr

    theremotedr Master Sergeant

    I think that's a no or what is smart file advisor.
    Pc seems ok but I haven't restarted it since sending these logs.
    Should I ?
     
    theremotedr, Aug 6, 2017
    #10
  11. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    I found that it was a left-over. Re-run RogueKiller and click the Registry tab and locate these detections - select and delete them.

    [PUP.SmartFile] HKEY_LOCAL_MACHINE\Software\Smart File Advisor -> Found
    [PUP.SmartFile] HKEY_USERS\S-1-5-21-2052246637-699227346-1952638870-1001\Software\Smart File Advisor -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-21-2052246637-699227346-1952638870-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.jzip.com -> Found​
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Upload it to your next message.
     
    dr.moriarty, Aug 6, 2017
    #11
  12. theremotedr

    theremotedr Master Sergeant

    Ive run it again and attached the file as requested.
     

    Attached Files:

    theremotedr, Aug 6, 2017
    #12
  13. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Here's something new appearing -delete it with RK...

    [PUP.Gen1] HKEY_USERS\S-1-5-21-2052246637-699227346-1952638870-500\Software\jZip -> Not selected​

    *Tell me how the PC is running
     
    dr.moriarty, Aug 7, 2017
    #13
  14. theremotedr

    theremotedr Master Sergeant

    Hi,
    Ive run it again as advised.
    This time i dont see it.
    I have done a search for jZip and nothing was found.

    Please see attached log.
    Thanks
    I will use the pc for a few hours then report back.
     

    Attached Files:

    theremotedr, Aug 7, 2017
    #14
  15. theremotedr

    theremotedr Master Sergeant

    Hi,
    I have been using the pc this morning for around 4 hours and seems ok with me.
    Please advise.

    Thanks very much
     
    theremotedr, Aug 7, 2017
    #15
  16. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. Go back to step 4 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    2. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    3. If running Vista, Win 7/8 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    4. Go to add/remove programs and uninstall HijackThis.
    5. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Clean up your restore points:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    7. After doing the above, you should work through the below link:
     
    dr.moriarty, Aug 7, 2017
    #16
  17. theremotedr

    theremotedr Master Sergeant

    I have now done the above.

    Many thanks
     
    theremotedr, Aug 7, 2017
    #17
  18. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome.
     
    dr.moriarty, Aug 7, 2017
    #18
  19. theremotedr

    theremotedr Master Sergeant

    Hi,
    Can you advise please.

    I see a few icons with a yellow/blue logo shield on.
    can you advise what this shield is please.

    Also the Atomic clock will only work if i click on the icon each time and select run as admin.
    If i switch user to ADMIN its installed fine,switch back to my user profile & nothing unless i do as shown above.
    Its even in the start up folder ???
     
    theremotedr, Aug 8, 2017
    #19
  20. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

     
    dr.moriarty, Aug 8, 2017
    #20
  21. theremotedr

    theremotedr Master Sergeant

    I have read the same kind on answer elsewhere but in the UAC the slider is right at the bottom.
    I then posted the question here as i could not understand why it happening.
     
    theremotedr, Aug 8, 2017
    #21
  22. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    That's all unrelated to this thread on malware removal.
     
    dr.moriarty, Aug 8, 2017
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds