Browser Redirect Problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by grayham, Dec 30, 2012.

  1. grayham

    grayham Private E-2

    I started having problems a couple of days ago with a process taking over my internet explorer when making searches. It redirects the search to ad sites and during the process of completing this site's Win 7 Malware Removal/Cleaning Process, it changed my home page to Claro search. When this first occurred, I ran Malwarebytes and Trojan Killer and each found and cleaned a trojan. That has not stopped the problem.

    I have completed the tests under the removal process and none removed anything that I could see. I have attached the log files from this process.

    Nothing I do seems to fix the problem and I would appreciate your help.
    Thanks
    Greg
     

    Attached Files:

    grayham, Dec 30, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please do the below while I work up more fixes. Tell me what happens when you do the below.

    Now please click Start, and type cmd.exe into the search box.
    • You should see a cmd.exe black icon appear in the Programs area of the Start Menu.
    • Right click on cmd.exe and select Run As Administrator.
    • A command prompt window will open.
    • Enter the below commands in this window. Do both commands even if you receive an error on the first. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

      sc stop BrowserProtect
      sc delete BrowserProtect
     
    chaslang, Dec 30, 2012
    #2
  3. grayham

    grayham Private E-2

    Done. The first command received the response "[SC] ControlService FAILED 1062:
    "This service has not been started."

    The second resulted in "[SC] DeleteService SUCCESS"
     
    grayham, Dec 30, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now do the below.

    Uninstall the below software:
    BrowserProtect
    Claro Chrome Toolbar
    Claro toolbar
    Java(TM) 6 Update 26

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select any of the following lines that still exist ( some may be gone after the above uninstalls ) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.claro-search.com/?affID=...HP_ss&mntrId=56d2751300000000000000ffc8d79a88
    O2 - BHO: Claro LTD Helper Object - {000F18F2-09EB-4A59-82B2-5AE4184C39C3} - C:\Program Files\Claro LTD\claro\1.8.8.5\bh\claro.dll
    O3 - Toolbar: Claro LTD Toolbar - {9E131A93-EED7-4BEB-B015-A0ADB30B5646} - C:\Program Files\Claro LTD\claro\1.8.8.5\claroTlbr.dll
    O4 - HKCU\..\Run: [StartNow Search Protect] "C:\Program Files\StartNow Toolbar\search_protect.exe" /RELAY /REPORT /PROTECT
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [Novell] rundll32 "C:\Users\u21469\AppData\Local\Secomba_GmbH\Novell\wtfbiqgw.dll",mpegOutVideoNewW
    O4 - HKUS\S-1-5-19\..\Run: [Novell] rundll32 "C:\Users\u21469\AppData\Local\Secomba_GmbH\Novell\wtfbiqgw.dll",mpegOutVideoNewW (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Novell] rundll32 "C:\Users\u21469\AppData\Local\Secomba_GmbH\Novell\wtfbiqgw.dll",mpegOutVideoNewW (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Novell] rundll32 "C:\Users\u21469\AppData\Local\Secomba_GmbH\Novell\wtfbiqgw.dll",mpegOutVideoNewW (User 'Default user')
    O20 - AppInit_DLLs: browse~1\261040~1.25\{c16c1~1\browse~1.dll
    O23 - Service: BrowserProtect - Unknown owner - BrowserProtect\2.6.1040.25\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe (file missing)
    O23 - Service: SpyHunter 4 Service - Unknown owner - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE (file missing)

    After clicking Fix, exit HJT.



    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Services
SpyHunter 4 Service
BrowserProtect
bprotect
 
:Files
C:\ProgramData\Babylon
C:\Program Files\Claro LTD
C:\Program Files\Enigma Software Group
C:\Program Files\StartNow Toolbar
C:\Users\u21469\AppData\LocalLow\Claro LTD
C:\Users\u21469\AppData\Roaming\Babylon
C:\Users\u21469\AppData\Roaming\Claro
C:\Users\u21469\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserProtect
C:\Windows\Installer\{069B290F-5398-4629-A009-85B4BCB4B1B9}
C:\Users\u21469\AppData\Local\Secomba_GmbH\Novell\wtfbiqgw.dll
C:\Users\u21469\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroHlpr.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroHlpr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.clarodskBnd.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.clarodskBnd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Claro LTD]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CCC3E766-7BA9-4629-AC1A-7F4B7F362E65}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroappCore.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroappCore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.clarodskBnd.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.clarodskBnd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroHlpr.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroHlpr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05340575-7D2A-4266-9A84-7EEBDC476884}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97C47A30-3CFB-474B-94E3-6019A7EE0610}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE4FC43F-84CE-4E20-88C2-2188525B47FB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F398D871-ED00-42A8-BEAA-0209E9E59FCC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.claroESrvc.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.claroESrvc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\F092B960893592640A90584BCB4B1B9B]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\F092B960893592640A90584BCB4B1B9B]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2E4A8FA31C5CBF34AB8A9A1FEEC064D1\F092B960893592640A90584BCB4B1B9B]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{16466D47-74A8-4928-B8B2-07CD79ABFC9F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26D5CC0A-7A46-4D86-AF45-2EFA320B0C54}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D13AC8F-037E-40C5-ADA6-231BA74EA2F4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{322EDCF5-9E7D-4021-8C67-F3FFE4961A38}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3E254398-828F-4D51-A39E-3F6B6D96A12C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{442DAF0C-7EAD-48D9-ABEA-E0036470D6D5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{58EB187D-24F8-4423-BD6C-655CE4C416BD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6BEB066C-A791-4A21-B934-7783533FE888}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A07612DF-B1DD-484F-A1C3-36CA4CE919D2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A76F97B2-2C56-456A-A29E-72741595C2E8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B19D9D96-E59C-4936-B283-8A831CDB3A53}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DC8AAABA-3F8B-4866-8B3A-D9368133A478}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E15519AE-99BE-42DD-BE60-FFC3C183F443}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A903AC15-686E-4D67-A355-86FCBE9F60DA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCC3E766-7BA9-4629-AC1A-7F4B7F362E65}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\dcillohgikpecbmgioknapdpcjofaafl]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\pgafcinpmmpklohkojmllohdhomoefph]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{60295942-9E5F-4EE8-B785-3A655904D24F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\2E4A8FA31C5CBF34AB8A9A1FEEC064D1\F092B960893592640A90584BCB4B1B9B]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B2468513CA2D6943A1A233CD3F88CE7]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A9FAC99E2D8280F4482F22004D09FBA2]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AE26D37B0FFFAE4559860C5C4D938B71]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F092B960893592640A90584BCB4B1B9B]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{069B290F-5398-4629-A009-85B4BCB4B1B9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{15D2D75C-9CB2-4efd-BAD7-B9B4CB4BC693}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BrowserProtect]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\BrowserProtect]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BrowserProtect]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\Claro LTD]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\DataMngr]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\DataMngr_Toolbar]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\Microsoft\ClaroDirectory]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\Microsoft\Internet Explorer\Main\bProtector Start Page]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\Microsoft\Internet Explorer\SearchScopes\bProtectorDefaultScope]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_USERS\S-1-5-21-1343024091-261903793-682003330-92993\Software\mozilla\Firefox\Extensions\{58bd07eb-0ee0-4df0-8121-dc9b693373df}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9E131A93-EED7-4BEB-B015-A0ADB30B5646}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"StartNow Search Protect"=-
"Novell"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Novell"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"bProtectorDefaultScope"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5BADFCD9-21DC-4695-87BF-6B6AE8CDAD23}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
:Commands
[purity]
[EmptyTemp]
[start explorer]
 

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Dec 31, 2012
    chaslang, Dec 30, 2012
    #4
  5. grayham

    grayham Private E-2

    Did not go well. The uninstalls seemed to work, but when I got to the Fix on MGtools, it required a reboot, which I did. Then I downloaded OTM and ran as administrator, but when i would try to copy the specified text,OTM would disappear from the desktop. I reran and got the copy done and when I hit Moveit! everything was removed from my desktop and I could not get anything to reappear. i rebooted and started over, bur I cannot uninstall BrowserProtect-it says I do not have sufficient access.
     
    grayham, Dec 31, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please just attach the log from OTM and get the new MGlogs.zip so that I can see what was changed and what has not. Then I can work up a new fix. We will likely have to use some other tools.

    You most likely still have a service like bprotect running that needs to be stopped.
     
    chaslang, Dec 31, 2012
    #6
  7. grayham

    grayham Private E-2

    Sorry for the delay. The log MGlogs.zip attached. The _OTM/Moved Files folder was empty.
    Greg
     
    grayham, Dec 31, 2012
    #7
  8. grayham

    grayham Private E-2

    I noticed that the zip file did not attach. When I try to send it, I get a message that it has already been uploaded. I reran the HijackThis and asked for a log file, which seems to show my last point.
    Greg
     

    Attached Files:

    grayham, Dec 31, 2012
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not follow the instructions which stated to run C:\MGtools\GetLogs.bat

    Don't need this. We need the new MGlogs.zip file
     
    chaslang, Dec 31, 2012
    #9
  10. grayham

    grayham Private E-2

    Sorry, here is the file.
     

    Attached Files:

    grayham, Dec 31, 2012
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay it appears that some parts of the fix worked and some did not. Let's do another fix.

    Also I have a question. Why haven't you installed the updates to Win 7? You have not installed the SP1 update


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Delete the below folders:
    C:\Users\u21469\AppData\Roaming\Babylon
    C:\Users\u21469\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserProtect
    C:\ProgramData\Babylon
    C:\Program Files\Enigma Software Group


    Now rerun a scan with Hitman Pro and attach the new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




    Then attach the below logs:
    • the new Hitman Pro log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Dec 31, 2012
    chaslang, Dec 31, 2012
    #11
  12. grayham

    grayham Private E-2

    The fixme process received a success response.

    The deletions all went fine, as did the two additional program runs. The log files are attached.

    I have tried IE and have not had any problem with searches throught the brower.

    On the updates, this is a computer I use when I am out of the office and I thought it was being updated and maintained at the office. I was obviously mistaken. When this is finished, I plan to update, install a monitoring maleware program, and turn on the windows update which I discovered is not running.
    Thanks
    Greg
     

    Attached Files:

    grayham, Dec 31, 2012
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we still have some more to do.

    Delete the below folder:
    C:\Users\u21469\AppData\LocalLow\Claro LTD

    Now copy the bold text below to notepad. Save it as fixme2.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Now make sure you tell me how things are working?
     
    chaslang, Dec 31, 2012
    #13
  14. grayham

    grayham Private E-2

    The fixme reported success. I removed the specified folder and ran the JRT program. Its log is attached.
    IE and Google seem to be working normally.
     

    Attached Files:

    • JRT.txt
      File size:
      1.9 KB
      Views:
      2
    grayham, Dec 31, 2012
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 31, 2012
    #15
  16. grayham

    grayham Private E-2

    Thanks for your help, it was excellent. As detailed as was that process I would have wound up reformating and reloading everything.

    When I started to uninstall programs, I found that the Control Panel, Programs and Features had been cleaned in the process and contained only two items. If you know a good uninstaller program that will work on W7, please let me know. Otherwise, I can work around it.

    Again, thanks very much.
    Greg
     
    grayham, Dec 31, 2012
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the attached UnKey.txt file and save to your Desktop. Then right click on it and select Rename. Change the name to UnKey.reg

    You will likley be prompted about changing the file extension. Just accept the change.

    Then right click the UnKey.reg file and select Merge. Approve and prompts to allow it to be merged into the registry. Then reboot your PC. See if this restores the missing items.
     

    Attached Files:

    chaslang, Dec 31, 2012
    #17
  18. grayham

    grayham Private E-2

    It worked wonderfully.

    Again, thanks.
    greg
     
    grayham, Dec 31, 2012
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Jan 1, 2013
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds